From the May 2004 issue of Investment Advisor • Subscribe!

Playing by the SEC's Rules

The SEC's Gene Gohlke reveals what you need to know about compliance

Compliance is such a bogeyman for RIAs. Registered representatives have a compliance officer and branch manager to answer to. And, say what you will about the difficulty of working with a B/D compliance officer or branch manager, the requirement that you clear everything you do provides a clear path for getting answers about the way you conduct your business.

For RIAs, answers are harder to come by. So to get the straight facts about the most pressing RIA compliance issues--including e-mail retention and new rules requiring RIAs to appoint a compliance officer and write compliance policies and procedures--I went straight to the source: Gene Gohlke.

Gohlke, who sports Ph.D. and MBA degrees in business administration from the University of Wisconsin and is also a certified public accountant, manages the Securities & Exchange Commission's program for the examination of registered investment companies and investment advisors. A 19-year SEC veteran and associate director since 1986, Gohlke serves in the commission's Office of Compliance Inspections and Examinations. Keep in mind that Gohlke does not set policy or make rules. Only the commission can do that, and what Gohlke has offered in this interview is his opinion. Still, in the 90 minutes he gave me, he offered specifics about what RIAs need to know now.

You recently were quoted saying that advisors had to retain e-mails for as long as 20 years. That quotation was taken out of context. It's true only in a limited context relating to the calculation of an advisor's performance. An advisor has to keep information that supports his advertised performance for the period of time that is covered by the performance information, plus five years. For example, say an RIA has a performance composite showing its return for the last 15 years. It must keep supporting documentation showing how the performance calculation was computed for each of those 15-year periods plus five more years. That's how you'd get up to 20 years.

Are we talking about e-mail only or all performance data? It's information that supports the performance claim, how is it calculated, and supporting documentation. And e-mails may relate to those numbers.

So how long does e-mail have to be kept? Putting aside e-mail that may relate to performance, if the information in an e-mail is required to be kept by the existing books and records rule, which has applied for years to RIAs, then it's generally five years. If it relates to performance, then it could be longer. If the information in an e-mail is not such as is covered by the books and records rule, then there is no retention period.

What exactly is covered? What does an RIA need to retain? Matters concerning your business operations; your financial activities, such as your cash receipts and disbursements; communications with clients; transactions in clients' portfolios, such as if a portfolio manager is placing orders using e-mail from the firm's trading desk, those e-mails more than likely must be retained; records of personal trading by insiders. Anything an RIA would be required to retain for paper-based information under books and records would be required to be retained if held electronically. The information is identified in the books and records rule.

Does an RIA need a written policy on e-mail storage? Yes. If not now, certainly come Oct. 5, when the new compliance rule goes into effect. That rule requires written compliance policies and procedures, and guidance for a firm's employees. So it makes a lot of sense to have written policies regarding what information to keep as a firm and what information you can get rid of. E-mails being among that set of information, it's a very sensible compliance procedure to have written policy for the retention of e-mails.

Do e-mail archives need to be stored on site? You need to keep relevant information for five years. The books and records rule requires that the information be preserved and maintained in a readily accessible place for the entire five-year period. For the first two years, required information must be kept in an appropriate office of the adviser. Once that two-year period is over, required information could be kept off site. But it still has to be produced promptly, meaning within 24 hours.

What if you use Web servers that are offsite from an RIA's office? Is that okay? We have accommodated them, so as long as the advisor can produce the records in its office, that is the same as storing it in its office. So say an advisor in New York uses an e-mail server that is physically located in South Dakota, that's okay, so long as the advisor can access the e-mail in its office.

Is it also required that an additional copy of all your e-mail be stored offsite, for disaster recovery purposes? I don't think there is anything in the books and records rule that says that or gets you there specifically. On the other hand, an advisor is required to keep records for five years, and that information has to be produced promptly when requested. Taking all of that together gets you to the point where an advisor needs to think about things that can happen to its required information and take reasonable steps to make sure it is not destroyed prematurely. The advisor owes a fiduciary duty to its clients. If a lack of planning causes vital client records to be destroyed and hampers an RIA's ability to perform contracted services to a client, clearly the advisor hasn't fulfilled its fiduciary duty to the client. So if the advisor doesn't want to spend the money to have a backup process or doesn't take the time to think out a business continuity plan, it ought to be making pretty good disclosures to its clients that they are at risk.

Why does the SEC care so much about e-mail but not what RIAs say over the phone? You don't require that RIAs record all phone conversations with clients. You can say the same thing for an earlier time when communications were on paper. Why did the SEC require certain paper communications to be kept and not all telephonic communication? That's the way it is. It may be great to have all phone conversations recorded as well. It's a good question, but all I can say is that that this is where the commission has drawn the line.

Was the new get-tough policy on e-mail developed in response to the mutual fund scandal because so much of what was learned about fund company malfeasance was uncovered by studying e-mail? Yes. A number of the arrangements for market timing and late trading were found on e-mails, but not necessarily written down or recorded in any type of traditional paper-based records. So it was not too much of a leap to say that as part of our examinations, we would look at e-mails.

Many advisors may have been using e-mail for five or six years, but may not until now have had a retention system in place. Do these rules apply only going forward? If an RIA has been using e-mails for the last five years, and it has a policy of cleaning off its e-mail server after any e-mail is 60 days old, then it most likely has been routinely destroying certain information that it was required to keep. It has a problem.

But I think it is probably not uncommon for an RIA to not have done anything about e-mail retention until recently. That could be, but the books and records rule requires that certain information be kept. Yes, I understand the rule is written in the context of records produced on paper. But what it really covers is information. If that information happens to be in an e-mail or instant message, the recordkeeping rule still applies to it. That didn't just change in September. It's been that way for many years. Advisors may not have interpreted that way, but certainly on the broker/dealer side of things, for some time now, the NASD has required that broker/dealers retain e-mail. So there is some precedent on the B/D side. Advisors have had a duty to keep information in e-mail that is covered by the books and records rules ever since they started using e-mail.

At what point will you begin, or have you already begun, citing advisors who don't retain e-mails? We are doing that right now.

Are you simply citing this in a deficiency letter? That is a fairly common way of how it is being handled, particularly if we don't find any other material problems. But I don't ultimately make those calls. And whether that policy will change or will continue is also not my call.

B/Ds are moving to filter e-mail sent by their registered representative. On the RIA side of things, e-mail does not have to be screened by a compliance officer before it's sent. Is the SEC moving in that direction? There is no current requirement to do that.

If an RIA archives to his hard drive or to a tape backup, is that okay? Or does the e-mail archive have to be written to non-rewritable CDs or another storage medium that is not rewritable? It can be a medium that is rewritable but the adviser should have built in adequate protections so that required information is not erased prematurely.

Does the SEC have written policies regarding e-mail compliance? What are they and how specific are they? Other than to the extent one can say that the books and records rules are written and apply, there are no written rules for RIAs specifically covering e-mail. But there probably will be in the near future.

There are new rules regarding compliance officers and internal compliance controls. Can you give us an overview? They are lengthy rules. They say that, as of Oct. 5, every registered advisor is required to have written compliance policies and procedures that are effective. The procedures must assist in making sure that compliance problems don't happen. And if bad things do happen, these procedures will assist in identifying those bad things and lead to their correction, and ensure appropriate remedial action will be taken. The entire thrust is to focus the attention of advisors on the need for good compliance procedures and then require certain steps to make sure that the procedures, in fact, do work, and that the advisor takes the necessary time and effort to implement the procedures.

What action is required now to comply? The rules require that an RIA have effective compliance procedures across its entire advisory business. Between now and Oct. 5, an RIA would need to evaluate what is its business.Who are its partners? Who are its affiliates? How does it conduct its business? Who are its clients? Does it have certain clients who pay performance fees, while others pay fees based on assets under management? Where in its business are there potential conflicts of interest? Where in its business and its relationships can bad things happen to its advisory clients? Then, based on that type of risk identification process, an advisor should determine controls and management techniques to ensure to the extent possible that those bad things don't happen, and that conflicts of interest are managed so that the result is consistent with the disclosure the firm has made to its clients. After having done all that, if the advisor says, "Well, my existing procedures cover all of that. My existing procedures do everything the rule requires," then there is probably not much more the advisor has to do except appoint a chief compliance officer that has the responsibility for making sure on a continuing basis that the advisor's compliance processes are effective.

If an advisor has been attentive to having good compliance, and has a good compliance culture, the new rule may not have much of an impact on that RIA. On the other hand, for an advisor that has been less attentive to having good compliance, the rule could have a substantial impact. The RIA will have to go through all of its business arrangements and look for conflicts, figure out what the firm has put in place to prevent and quickly identify problems, and put additional control procedures in place. It may be necessary to institute new reporting requirements, new exception reports, and new management reports to ensure that by Oct. 5 its compliance procedures are effective.

This new rule is adding a requirement to create policies and procedures to manage conflicts of interest and potential problems. Yes, creating policies and procedures that will effectively manage compliance issues, and require firms to institute a process on a continuing basis. There has to be a process to monitor what's going on in the firm, to identify new areas that need new controls, new compliance policies and procedures, and to then make sure those things get implemented quickly. It is not just a one-time shot.

The idea of chief compliance officer in an RIA firm is something I've already heard advisors complain about. The main thing seems to boil down to having one person on the hook for the job. One person coordinates the compliance process, but can't always do all that is needed. Everybody in the firm has to have a stake in compliance, some more than others. The compliance officer is the focal point. That person is the driving force, making sure risks are regularly identified and promptly managed.

The compliance officer must be a principal or somebody of some stature, right? You can't just hire someone off the street. A CCO must be knowledgeable about the activities that the firm is engaging in. They have to be knowledgeable about how conflicts of interest can arise, how bad things can arise. They need to be knowledgeable about how controls can be effective, how the implementation of controls can be monitored.

Can it be a secretary or administrative assistant? I suppose it could be. But in my view it's important to consider what that person brings to the position. Does that person have enough stature within the firm, so that he or she will be listened to?

But it doesn't have to be a full-time job. Correct. It needs to be a job that is in line with the size of the firm and the nature of its business. If you have a two-person shop, you probably don't need to hire a third person to be the full-time compliance person. For a larger firm, it might very well be necessary to hire somebody full-time.

The policies that RIAs need to write up--how long are they? It depends on the nature of the firm's activities. Several paragraphs in some cases could be fine. Other cases may need compliance policies that cover many pages. Above all, the policies must be effective, comprehensive, and reflect the nature of the firm's activities, and they must actually be implemented. You cannot just hire a consultant to come in, or buy a book on compliance procedures, put the study or book on the shelf and say, "Aha, there is our compliance system." That won't work. The policies must be tailored to the firm and implemented effectively. They must really work. Your policies must make sure that bad things don't happen, but if such things do happen, they will be caught quickly and corrected, and the environment that gave rise to them will be eliminated. In addition, an annual review is required. This extends to your service providers as well. Suppose an advisor uses a third-party solicitor to look for clients. The compliance officer needs to make sure the solicitor is also conducting his or her affairs consistent to what is expected every year. You need to watch for red flags along the way. Are there complaints from clients that have come in through that solicitor? That's a red flag. There had better be compliance procedures in place that ensure appropriate follow-up on all those red flags.

According to the SEC's 2002 annual report, you inspected 1,570 investment advisors and 278 fund companies. How many audits did you do in 2003 and what was the focus? We did about the same number of audits, 1,550 RIAs and 265 fund family complexes. Potentially everything the advisor does or should be doing is our focus.

Yes, but in any given year, you do have specific focus areas. And those change from year to year. There are some basic areas that we will always cover, including looking at the control environment of the firm. We go through a fairly similar process in conducting a routine exam. We try to identify the major activities of the firm that can cause harm to the clients. What are the bad things that can happen at this firm, given who the people are, its clients, its businesses, and who its affiliates are? Then, we compare that to what the firm identifies as its major risks to its clients. The second step involves an evaluation of policies, procedures, and controls that the firm has or thinks it is using to address those risk areas. Throughout, we are obtaining documents, e-mails, talking to people. We evaluate whether the control procedures are effective. Are they finding the bad stuff? If bad stuff is found, is it corrected promptly?

We assess control procedures--that is a major focus. Then we test-check transactions, pretty much in all areas, but we adjust the extent of transactional cross checking based on how effective or ineffective we think the controls are in an area. We examine allocations of trades for clients. We want to understand what type of trades the firm has, what type of clients the firm has, and what are the firm's policies for allocating IPOs, allocating block trades, taking a look at how effectively those policies are implemented. We may look at all IPOs that the firm got for a month or a quarter and look at the allocations. Was it handled consistent with the policy? Is it consistent with disclosures to clients? Is the net result fair to clients?

Are there any new focus areas? There are a number of new areas, including proxy voting. There are new rules in place for both funds and advisors regarding how they vote proxies on securities owned by their clients. We want to make sure that their procedures are consistent with the rules. We are also looking quite closely at how advisors use commission dollars that their client trades generate. That presents advisors with very significant conflicts of interest.

Like what? What the advisor gets other than execution of a trade by causing clients to pay commissions to a particular B/D. Does what the advisor get go beyond research? Does it pay for shelf space? For sales of mutual funds, does the RIA pay for client referrals? Are trades being placed with a pension consultant because the advisor wants to get in on a short list of firms recommended to a pension plan? All of those things involve potentially bad uses or inappropriate uses of clients' commissions. We would hope that the firm itself, the advisor himself, has identified all those potential areas of harm as part of a good compliance process and has put controls in place.

So proxy voting and soft-dollar arrangements are on the list of things you are interested in. What else? Best execution is another area and so is valuation of client assets. It's not only in the mutual fund area that valuations are important, but it's also important for non-fund advisory clients because it affects the performance that the advisor calculates. It affects the advisor's fees. So there may be incentives for advisors to overstate the value of clients' securities.

Many RIAs use one custodian. How do you say that you are giving best execution, if you are just using one custodian for your clients? An advisor may not be getting best execution in that circumstance. Advisors perhaps ought to be making better disclosures to their clients and tell them that "because our clients have their securities all custodied at XYZ broker or ABC broker, we place all of your trades through that broker and we have limited or no ability to negotiate commission rates." We also expect the advisor to periodically evaluate the alternatives. Are there other brokers that also provide custody and that offer lower commission rates that offer better execution prices? If an advisor isn't periodically evaluating the alternatives, we comment on that.

Does the SEC have goals for the frequency of compliance audits? Yes, we'd like to examine the largest 100 advisory firms, which include fund companies, at least every two years, as well as any other firm outside of that top 100 that is identified as a higher-risk firm. Everyone else every four years, and all lower-risk advisors, every five years or so.

So for the typical RIA that reads this magazine and who doesn't run a mutual fund, your goal is once every five years. Assuming we have not classified them as high risk, yes.

Ninety percent of the examinations in 2002 turned up deficiencies. What are the most common deficiencies? Probably the most common would be inaccurate or incomplete information on an advisor's Form ADV.

Other common deficiencies? Inaccurate or misleading advertising, usually performance advertising, is common. A firm may not be calculating performance numbers correctly, so clients are being misled because in almost all cases these problems result in a higher performance than what the advisor actually has. Also, problems with personal trading--not reporting personal trades in accordance with the regulations. It could be that the advisor has poor controls in the areas of placing personal trading.

Another big area is brokerage arrangements and best execution. Advisors are required to periodically, maybe once a year, evaluate their arrangements at broker/dealers. What are they getting? What are clients paying?

Another common problem is in internal controls in the area of portfolio management. An advisor must have an effective system to monitor trading decisions before a trade goes through. So if a trade goes through and it is inappropriate for a client, it may only be found after the fact. Many advisors have a front-end portfolio management system, where they can test the transaction before it is executed against client restrictions and against the clients' objectives.

About 3% of deficiencies in 2002 resulted in a referral to the SEC's enforcement division. What are the most common reasons to refer cases to enforcement? Stealing doesn't happen that often. [But] maybe the advisor has an arrangement for getting kickbacks from brokers, maybe not cash but services, paying his rent, limo services, country club dues. Another reason is where a registered rep at a broker has an unwritten arrangement with an RIA saying that he will refer brokerage customers to the RIA for money management if the RIA sends all of the customers' trades back through him. So the rep gets commission credit and typically in those situations the advisor does not negotiate the commission rates that the client pays, and those commission rates are much higher than other clients of the RIA and those referred clients are not aware that they are paying more. That is a huge conflict, a big problem.

Another class of referrals is recidivist activity, where we have told an RIA about a problem and they don't fix it. If we come in the next time and they have not fixed it, and in addition to not fixing one problem, other problems crop up, we tend to refer those cases directly to enforcement.

In general, it sounds like RIAs are going to be under greater scrutiny. They will be under greater scrutiny and we may find more problems as we dig deeper. Everybody has just got to realize we are much more aggressive now and that what it takes to refer something to enforcement is perhaps less than what was needed six or twelve months ago. We will be requesting more records, probing much more deeply into an RIA's control procedures, particularly when the rule goes into effect October 5. When we find that firms ignored the rule, and certainly if their clients have suffered harm because a firm failed to adequately evaluate its control procedures, the firm has got to be prepared for a rough session with the SEC.

Editor-at-Large Andrew Gluck, a veteran personal finance reporter, is president of Advisor Products Inc. (www.advisorproducts.com), which creates client newsletters and Web sites for advisors. Advisor Products may compete or do business with companies mentioned in this column. Gluck can be reached at agluck@advisorproducts.com.

Reprints Discuss this story
This is where the comments go.