As federal and state governments focus their attention on cutting costs, it seems safe to say that securities regulators will need to look for ways to reduce expenses. Instead of conducting onsite compliance examinations of RIAs on a regular basis, securities regulators may need to select those firms that pose more of a threat to investors. Because of limited budgets and fewer employees, securities regulators might depend on risk-based oversight to do their job effectively. To cope with tight budgets and limited resources, the SEC will continue to strengthen risk-based oversight of RIAs and brokerage firms.
In a press release issued by the SEC on August 12, 2011, the Commission announced that its new whistleblower program took effect that day. The Dodd-Frank Act authorized the SEC to pay financial rewards to whistleblowers providing new and timely information about securities law violations. In the press release, the SEC observed that it has fewer than 4,000 employees who must regulate more than 35,000 entities. As a result of the whistleblower program, the SEC will receive tips and complaints from persons suspecting unethical or illegal conduct in a firm or with an RIA. Thereby helping the Commission to identify firms posing a higher level of risk to investors. We will analyze the new whistleblower program in Whistleblowers.
According to the SEC’s Study on Enhancing Investment Adviser Examinations, there are three types of exams:
- Examinations of higher-risk advisors
- Cause examinations triggered by tips, complaints, and referrals from a different federal or state agency
- Special purpose reviews, such as risk-targeted examination sweeps and risk assessment reviews
The SEC’s study noted that, “Risk-targeted examination sweeps are generally limited in scope, focus on specific areas of concern within the financial services industry, and cover a broad sample of regulated entities regarding those areas.” Risk assessment reviews are limited scope examinations of an RIA’s general business activities and certain portions of the firm’s books and records. The goal is to help the SEC better assess the risk profile of an RIA.
Background Information on Risk-Based Oversight
In 2003, the SEC transitioned to a risk-based approach to examinations. In adopting that approach, the Commission focused more of its resources on RIAs with the greatest potential for causing an adverse impact on investors. Today, the SEC has the same goal—to spot RIAs whose activities may cause harm to investors. Though the SEC’s technological capabilities have improved, tips and complaints are still a big part of the risk equation.
The SEC relies heavily on electronically-provided data supplied by RIAs. It is quite common for the SEC to obtain an electronic file containing all of an advisor’s trades during the period covered by an exam. This allows the SEC to analyze trading patterns to determine if the firm is engaged in undisclosed activities or arrangements that pose a threat to clients. This analysis might reveal other risks that could harm clients. For example, the SEC might learn that an RIA is trading securities for its own account in a manner exploiting information gained from managing clients’ money.
Regulators might also compare the performance of clients’ accounts to an RIA’s personal and proprietary accounts that use similar investment strategies to determine if there has been any preferential treatment. The data can be analyzed to find out if IARs’ personal trades were more profitable than clients’ trades. The data might also reveal a personal trade resulting in exceptional returns, which may raise a red flag.
The SEC has access to information derived from filings, publicly-available databases, and other sources. The Commission has developed a mechanism for assessing relative risks among RIAs, based on data contained in Form ADV and the results of an examination of the firm’s compliance controls.
According to a speech by former director of the Office of Compliance Inspections and Examinations (OCIE), the SEC has computer programs to identify RIAs that pose a higher risk to investors. On December 16, 2008, Lori A. Richards said:
“In September of each year, a risk-profile algorithm is run against the investment adviser IARD database to identify all advisers that have higher-risk characteristics based on responses in their Forms ADV, Part I, including their disclosed assets under management, number and types of clients, affiliations, other business activities, compensation arrangements, brokerage arrangements, and disciplinary history.”
When an RIA updates its Form ADV each year, the firm’s risk profile is likely to change.
Risk Factors that Trigger Enhanced Oversight of RIAs
As the SEC assesses risk, the Commission hones in on the characteristics of a firm that might lead to problems down the road and harm to investors. The process might be compared to an insurance company’s underwriting process where the carrier evaluates the risk factors posed by an applicant. As a general rule, the SEC and other securities regulators believe that the risk is greater where an RIA:
- receives performance-based fees;
- sells products and services other than investment advice;
- engages in principal transactions and cross trades;
- makes use of solicitors;
- assumes custody of a client’s cash and/or securities; and
- has a dubious disciplinary history.
An RIA that is viewed as high risk is likely to be examined more frequently than a firm that poses less threat to investors. Some risk factors may take precedence because the SEC is focusing on activities that have become a priority. For example, after Madoff’s Ponzi scheme made headlines across the globe, custody became an extremely high priority for securities regulators.
Exam Focus Areas for RIAs
Many RIAs have avoided examinations by the SEC, because they were not regarded as high-risk firms. When he testified before a Senate subcommittee on November 16, 2011, Carlo V. di Florio, current director of the OCIE, testified that only eight percent of RIAs were examined in 2011. In fact, 38 percent of SEC-registered investment advisors have never undergone an examination by the Commission.
When an exam does occur, examiners will be paying particular attention to certain areas of concern. In a speech on March 21, 2011 at the IA Watch Annual IA Compliance Best Practices Seminar, Carlo V. di Florio, discussed compliance best practices and stated that the SEC will focus on the following areas:
- Conflicts of interest
- Portfolio management
- Performance and advertising issues
- Asset verification
- Risk governance
- Business continuity and disaster recovery
Mr. diFlorio indicated that the SEC would also monitor issues such as the use of social media.
The SEC’s goal is to protect advisory clients by focusing on particular areas. For example, if an RIA over-values a client’s assets, the firm is able to charge higher advisory fees and clients pay more than they should. Similarly, the goal of business continuity and disaster recovery plans is to protect clients whose assets will be exposed to risk if an unexpected event or catastrophe occurs.
In his speech, di Florio took note of the SEC’s risk assessment and surveillance models. He pointed out that aberrational performance is a great risk indicator. If an RIA’s performance returns seem to be unusually high, it is much more likely that examiners will come for a visit to confirm that these results are accurate and well-documented.
While state examiners may not have access to the same risk assessment and surveillance models, they have other means at their disposal to assess risk. An examiner with the Pennsylvania Securities Commission recently told RIAs that he looks at a firm’s advertisements when deciding whether to conduct an examination.
Potential Drawbacks of Risk-Based Oversight
The OCIE’s risk-based exam approach is not foolproof. According to a 2007 Government Accountability Office (GAO) report, the success of the OCIE’s approach depends on its ability to accurately assess the level of risk at individual firms. If the OCIE mistakenly categorizes an RIA as a lower risk, the firm’s harmful practices might go undetected. In the report entitled, Steps Being Taken to Make Examination Program More Risk-Based and Transparent, issued in August 2007, the GAO stated that 90 percent of RIAs are designated as lower risk.
If a firm has not been examined, the SEC uses publicly-available information to identify risks inherent in an RIA’s business model, such as conflicts of interest. The GAO report recommended that the SEC obtain and analyze the documentation associated with each firm’s annual compliance review of its policies and procedures. Rule 206(4)-7 under the Investment Advisers Act requires that SEC-registered advisers review their policies and procedures annually for improvement. With this information in hand, the SEC would be better-equipped to determine what compliance controls are in place to mitigate present risks. Based on the annual audit, the Commission might determine that a firm categorized as high-risk does not fall in that category, because the RIA has a robust compliance program in place.
The SEC believes it is getting better at risk-based oversight. According to Robert Khuzami, director of the SEC’s Division of Enforcement, the Commission now has high-tech tools at its disposal to fight fraud. In his remarks before the Consumer Federation of America’s Financial Services Conference on December 1, 2011, Khuzami said:
“And we have been bringing 21st Century IT into the battle, increasing our use of sophisticated analytic tools and data-based templates. This helps us identify suspicious patterns and activities before they have hatched into full-blown frauds. Together, these initiatives are designed to allow us to detect much of the fraud to which retail investors are particularly vulnerable — and to detect it sooner than previously possible. This reduces the number of people who become victims, minimizes the harm to those who unfortunately have already been victims, and increases the odds we will catch the perpetrators, bar them from working in the industry and return the funds to defrauded investors.”
Advanced data analysis helps the SEC uncover the warning signs of deception.
In some cases, the SEC does not need to sift through publicly-available information in order to identify the risks arising from an RIA’s business model. Information received from a whistleblower or a complaint from an irate client trumps any data the SEC might obtain from publicly-available sources. Once it hears from a whistleblower or a client, an RIA is much more likely to be classified as a higher risk.
The Big Picture
Even if the SEC had a larger budget and more resources—an unlikely scenario in the current political climate—it is doubtful that the Commission could examine all RIAs on a regular basis. Therefore, to better utilize its resources, the SEC is likely to continue relying on risk-based oversight to fulfill its mission of protecting investors.
States may have their own risk criteria to determine which RIAs to examine. Whether a firm is SEC or state-registered, regulators are likely to schedule an exam if a firm is viewed as a high-risk RIA.
An examination will usually have one of three outcomes. Ideally, an RIA will receive a letter indicating that no deficiencies were identified. A second possibility is that the RIA will receive a letter outlining the deficiencies discovered by the examination team. The RIA must respond to the letter and correct any deficiencies pointed out by examiners. The third possibility is that deficiencies will be referred to the Division of Enforcement to protect investors from harm.
In the vast majority of cases, RIAs will receive deficiency letters and will agree to comply. As part of the solution, RIAs will almost always need to strengthen their policies and procedures to protect clients and prevent future compliance problems from occurring.