Tom Giachetti, chairman of the securities practice group of the securities law firm Stark & Stark in Lawrenceville, N.J., has some words of wisdom for advisors in 2012 regarding compliance: be prepared—first, to answer questions you were never asked before, and second, to explain policies that were never a previous area of concern.
In short, says Giachetti (left), who each month writes the Compliance Coach column in Investment Advisor magazine, "The world has gotten much different post-Madoff."
Those RIA firms remaining under the jurisdiction of the SEC after the “big switch” of smaller advisors to state jurisdiction, he says, will find the agency "asking questions that are new, and … exploring different issues and areas they never have before or in a manner they never did before." Four major concerns for the SEC will have you rethinking how you handled such matters in the past, because the odds are that you will have to change—if you haven’t already.
Key SEC Concern No. 1: Confidentiality
At the top of Giachetti’s list come confidentiality and privacy. You will find yourself providing confidentiality agreements not just for your staff, he says, but also for vendors, your landlord—in short, anyone with access to your offices. "The SEC wants to know," says Giachetti, "what means you take to make sure the information you get as a fiduciary is secure."
Key SEC Concern No. 2: Branch Supervision
The next area of concern on Giachetti’s list will affect firms with branch or satellite offices: the SEC will want to know your procedures for monitoring and supervising those branches. Giachetti says his office provides a checklist, so that main offices "are able to show what they’re doing on an ongoing, continuous basis relative to those individuals that provide services from a satellite or branch office."
Key SEC Concern No. 3: Internal Processes
The third big area of concern for the SEC is a new interest in your procedures—or, as Giachetti says, "Show me what you do and why and how you do it. What do you do with a new client, with a new employee?" The SEC will want to see your internal protocols, whether you use a calendar or a checklist, and whether you initiate them at the onset of a relationship with a new employee or client. "It’s the responsibility of the firm," he adds, "to indoctrinate the new employee with regard to appropriate policies and procedures they must be aware of: privacy, business continuity, and so forth."
There is a misnomer on the SEC exam, he explains, concerning mandatory training for employees. There is no requirement, he says, but it is incumbent on the firm to have some means of letting employees know proper policies and procedures. He suggests that firms have at least one annual compliance meeting for the discussion of a multitude of compliance topics. Further, everyone should sign in for the meeting. "Take it seriously," he urges.
Key SEC Concern No. 4: Manager Due Diligence
The final key concern of the SEC is another "big area post-Madoff," Giachetti says: due diligence. "Many firms lose sight of this," says Giachetti. "Many do a lot of due diligence on managers," he adds, "but don’t have files showing what they did initially to determine whether these were appropriate managers—and not only initially; what did they do going forward? Is there electronic transparency to monitor underlying transactions to be sure the manager is doing the right thing?"
He adds that in its examinations of RIA firms, "If you are hiring or recommending those managers away from a major custodian’s platform, you have a responsibility for enhanced due diligence. Have you confirmed the manager’s business continuity plan? Its best execution plan? Are they meeting those criteria?" He characterizes it as a "Missouri position; don’t tell me, show me. It’s not enough to tell me your processes; show me that you’re doing X, Y and Z."
When it comes to exams, says Giachetti, "regulatory requirements and best practices are two different things … and none of the old stuff is relevant." If you aren’t prepared to demonstrate that you are doing the right thing in front of SEC examiners, he says, everything you do on a day-to-day basis is for naught.
Oh, and About Your CCO… Your choice of chief compliance officer is another area in which you must exercise caution. The CCO must be someone who is involved in the procedures of the firm, warns Giachetti; he must be someone who understands the investment process and how the firm operates to ensure that they are aware of all compliance-related issues.
"The chief compliance officer needs to be someone with stature within the firm, and somebody who can successfully conduct an investigation on behalf of the firm when regulators arrive," says Giachetti. "You can’t have someone as CCO who can’t do that, and then bring the CEO in. The SEC will say, ‘Where is the CCO? Where is the person you entrusted with this responsibility?’"
The CCO also must pay close attention to two documents: the annual chief compliance officer review and an annual risk assessment. While there is no regulatory requirement for the latter, says Giachetti, there are three questions on the exam that ask whether you have addressed your risks.
On Investment Committee Minutes, AML, Budget There are other areas of interest that you may still need to be concerned with, depending on which region or office conducts the examination. One regards investment committee minutes. If you are going to have such minutes, says Giachetti, make sure they are vetted and adopted. Another has to do with Patriot Act anti-money laundering (AML) measures. While employees still must be educated on it, it is mostly no longer on the exam, although at some point it may return; presently it is not required as long as your custodian has AML measures in place. The third has to do with your compliance budget. Giachetti says this question only raises difficulties. How can you have a budget, he asks, when regulations are changing almost daily, and if you do have such a budget and exceed it, do you simply stop pursuing compliance? Of course not.
Some of the switch in the SEC’s exam ocus is toward more critical processes. It is now far more concerned with how an advisor discharges his fiduciary duty in safeguarding a client’s information and in not impacting the underlying integrity of a client’s assets.
"Compliance is not a box, or a set of documents," says Giachetti; "it is knowing your responsibilities and how to discharge them, and how to demonstrate to regulators that you are effectively doing so."
See Tom Giachetti’s latest Compliance Coach column from Investment Advisor.
See also Nancy Lininger’s take on key compliance concerns in 2012 for broker-dealers and RIAs.