Not all registered investment advisors are afforded a Manhattan zip code, enough vice presidents to annex France, or a travel budget the size of our national debt. Quite to the contrary, it’s more the norm for the smaller RIA to have a Des Moines area code, a combined CEO/CFO/CCO/Office Manager and a travel budget big enough to drive to the local Sonic and back for lunch. More to the point: small business owners are not only tasked with running the business they created with sweat equity, they are expected by regulators to be their firm’s Chief Compliance Officer as well, and are subject to all the liabilities that attach to that role. This raises the question: how does one wear the CCO hat without it blowing off and exposing a toupee of a compliance program? To answer that raised question, I present five (relatively) easy steps to get the job done right.
Step One: Build on an Ethical Foundation
This step should go without saying, but the starting point of any RIA is a strong ethical foundation under which the client’s interests are always put ahead of the interests of the advisor (i.e., the very essence of being a fiduciary).
This ethical foundation should not only meet the technical requirements of Rule 204A-1 of the Investment Advisers Act of 1940m it should also be the driving force behind an RIA’s decision-making. Ethical considerations can arise in the seemingly innocuous daily operation of any RIA (investment allocation decisions, acceptance of benefits or compensation from service providers, personal trading activities, etc.), but it is important for the CCO to step into a client’s and a regulator’s shoes when faced with such decision points.
Take some time to review your Code of Ethics and compare it to the Rule 204A-1 requirements, which can be somewhat technical and nuanced. Your comparison should essentially be a gap analysis designed to fill-in any missing components and confirm that appropriate records are being maintained.
For a telling example of how the SEC views the investing public, read SEC Commissioner Elisse Walter’s speech at the 2013 NASAA Public Policy Conference, in which her prototypical investing client is “Aunt Millie”. When stepping into a client’s shoes to analyze an ethical decision point, step into Aunt Millie’s New Balances, not Biff Powersuit’s Berlutis.
Step Two: Assess Your Risk and Your Potential Conflicts of Interest
As the SEC has made explicitly clear, an RIA is expected to assess its risk and potential conflicts of interest, and build its compliance program accordingly. (See, for example, the SEC’s 2013 Examination Priorities: For a plain English translation, check out this document. Shameless plug? Guilty as charged.)
This expectation from the SEC is as equally incumbent upon the Wall Street mastodon firms as it is for solo practitioners, though the risks and conflicts themselves will naturally differ between the two. A risk assessment should identify the risk, assess how severe it is and how likely it is to occur, and what steps the RIA is taking to mitigate the risk, using an Excel spreadsheet as a starting point, for instance. A risk assessment is not static, and should be revisited at least annually or more frequently as new risks arise and others are eliminated.
The same can be said for how a firm evaluates its potential conflicts of interest; potential conflicts should be identified, mitigated, and most importantly, disclosed to clients in the advisory contract and/or Form ADV Part 2. Indeed, the general instructions to the ADV Part 2 read as follows:
As a fiduciary, you also must seek to avoid conflicts of interest with your clients, and, at a minimum, make full disclosure of all material conflicts of interest between you and your clients that could affect the advisory relationship. This obligation requires that you provide the client with sufficiently specific facts so that the client is able to understand the conflicts of interest you have and the business practices in which you engage, and can give informed consent to such conflicts or practices or reject them.
A conflict can arguably even be seen as a risk. The most important aspect of a risk assessment is what the RIA does with it, especially during the construction or reevaluation of the RIA’s compliance program. As one might expect, more severe risks that have the highest likelihood of occurrence should receive the most mitigation attention, and should be the subject of the most supervision and review by the CCO. The risk assessment should also directly influence how the RIA’s policies and procedures are drafted, which is discussed in the next section.