Part 2: Strategies For Risk Mitigation & The Importance of Ongoing Reviews

In Part 1, we examined the complexities of SEC supervisory requirements and the risks faced by small RIAs. This second installment shifts to covering actionable strategies for crafting tailored compliance programs, mitigating specific risks, and conducting regular reviews to ensure adherence to the Advisers Act. Designed for small RIAs with limited resources, this guide provides practical steps to build a robust compliance framework that safeguards your firm and clients while meeting SEC requirements.

Crafting Tailored Compliance Policies

Under SEC Rule 206(4)-7(a), RIAs must adopt and implement written policies and procedures to prevent, detect, and correct violations of the Advisers Act. These policies form the foundation of a compliant RIA, guiding personnel and ensuring consistent decision-making. Generic, pre-packaged compliance is inadequate and risky, as the SEC dictates that policies be tailored to each firm’s unique operations, client base, and risk profile. Enforcement actions, such as that in OMNI Investment Advisors Inc. (2011), underscore the consequences of failing to customize compliance programs.¹

Beyond Generic Checklists: Steps For Developing Effective Policies

1. Identify Unique Risks:
   • Analyze your firm’s operations, including client types, investment strategies, and processes, like trading or fee calculations.
   • Pinpoint high-risk areas, such as the potential for unauthorized trading or incomplete disclosures, specific to your business model.
2. Design Targeted Procedures:
   • Draft clear, concise policies addressing identified risks.
   • Ensure that the procedures are practical for small teams, avoiding overly complex rules that strain resources.
3. Document & Communicate:
   • Maintain written policies in an accessible format, such as a secure digital manual.
   • Train staff, or (for solo RIAs) engage external consultants to review and validate policies.
4. Avoid Generic Templates:
   • Steer clear of off-the-shelf compliance manuals, which the SEC views as inadequate.
   • Customize policies to reflect your firm’s specific conflicts of interest and operational nuances.

Example: A small RIA offering discretionary portfolio management might engage a compliance firm to assist the CCO so that a second person is involved in the review, and the review is properly documented.

Effective and compliant policies are essential. In a settled enforcement action² against an adviser that adopted a “pre-packaged” policies and procedures manual which failed to reflect the risk factors or conflicts of interest of the adviser, the SEC found that the adviser had violated rule 206(4)-7 by failing to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act by that adviser’s supervised persons. 

Designating A Chief Compliance Officer (CCO)

Rule 206(4)-7 mandates that RIAs designate a Chief Compliance Officer (CCO) to oversee the firm’s compliance program. The CCO must have a thorough understanding of the Advisers Act and sufficient authority to enforce policies. For small firms, the CCO role can either be filled by an existing employee, or outsourced, provided that adequate time is dedicated to advisory compliance (In re Feltl & Company, Inc., 2011).

CCO Responsibilities

• Develop & Update Policies: Ensure that procedures align with current regulations and firm operations.
• Monitor Compliance: Oversee implementation, including regular checks on trading, disclosures, and client asset protection.
• Report To Leadership: Provide updates on compliance status, and recommend adjustments as needed.
• Engage External Support: For solo RIAs, consider outsourcing the CCO role to firms that offer compliance consulting for independent oversight and enhanced credibility.

Example: A two-person RIA might designate one partner as the CCO, with quarterly reviews conducted with an external firm to address self-supervision concerns raised in arbitration.

Addressing Key Risk Domains

The SEC requires policies covering critical areas to mitigate risks inherent in RIA operations. Below are key domains and strategies to address them.

1. Portfolio Management:
   • Risk: inconsistent allocation of investment opportunities or misalignment with client objectives.
   • Solution: Implement policies for documenting client investment goals and reviewing portfolio consistency, using tools like Morningstar for alignment checks.
2. Trading Practices:
   • Risk: failure to meet best execution obligations (In re Scudder Kemper Investments, Inc., 1999).
   • Solution: Use digital trade approval systems and conduct periodic best execution reviews, documenting findings.
3. Client Disclosures:
   • Risk: inaccurate or incomplete disclosures to clients.
   • Solution: Tailor disclosures, and review them quarterly to ensure accuracy and compliance with SEC marketing rules.
4. Safeguarding Client Assets:
   • Risk: misuse or conversion of client funds.
   • Solution: Implement access controls and regular account reconciliations, using custodians like Schwab or Fidelity for secure asset management.
5. Recordkeeping:
   • Risk: inadequate or unsecured records, vulnerable to alteration or loss.
   • Solution: Ensure that books and records are comprehensive and thorough, and use cloud-based systems for secure, timestamped recordkeeping, compliant with SEC retention rules.
6. Privacy Protection:
   1. Risk: breaches of client data confidentiality.
   2. Solution: Encrypt client records and train staff on privacy protocols, aligning with SEC safeguards.

Example: To address trading risks, a solo RIA might use a platform, like Advyzon, to generate audit-ready reports, document trade reviews, and be audit-ready.

The Critical Role Of Annual Reviews

Rule 206(4)-7(b) mandates annual reviews to assess the adequacy and effectiveness of compliance policies and their implementation. These reviews are not a formality — they’re a vital process to identify gaps, adapt to changes, and demonstrate diligence to regulators.

Conducting Effective Reviews

1. Evaluate Policy Effectiveness:
• Test whether policies prevent violations using methods like simulating cyber phishing or reviewing disclosure accuracy.
• Assess implementation through staff interviews or external audits.
2. Adapt To Changes:
• Engage with a cyber training firm to keep up with regulatory obligations 
• Review enforcement trends to align with changes to SEC priorities (e.g., the SEC’s new AML requirements). 
3. Document Findings:
• Maintain detailed records of review processes, findings, and corrective actions to leverage the Safe Harbor Act.
• Store documentation securely for SEC audits or arbitration defense.
4. Engage External Experts:
• For small RIAs, continuous reviews by third-party consultants provide objectivity and credibility, addressing self-supervision concerns.

Frequency: Conduct quarterly checks on high-risk areas (e.g., billing, disclosures) and a comprehensive annual review. Perform ad hoc reviews after significant changes, such as new regulations or client disputes.

Example: A small RIA conducted an annual review, identifying gaps in its disclosure process. By updating its procedures and training staff, the firm avoided potential SEC scrutiny during a routine audit.

Leveraging The Safe Harbor Act

The Safe Harbor Act shields RIAs from liability, when they establish reasonable procedures and diligently execute supervisory duties. 

• Maintain comprehensive documentation of policies, reviews, and supervisory actions.
• Regularly test procedures to ensure effectiveness, using such tools as mock audits.
• Engage external compliance experts to validate your program, particularly for small firms facing scrutiny over self-supervision.

Example: An RIA was accused of violations related to its employees’ use of off-channel communications for business purposes, which were not preserved as required by the Advisers Act recordkeeping rules. While the firm was charged with a civil penalty, the SEC’s order explicitly noted that it had “considered certain remedial acts promptly undertaken by [the RIA]” — indicative of the fact that RIA efforts play a role in the outcome of SEC enforcement actions.

Practical Strategies For Small RIAs

• Prioritize High-Risk Areas: Focus initial efforts on marketing review and disclosure policies to address common SEC enforcement triggers.
• Use Cost-Effective Tools: Leverage affordable platforms, like RegEd or WebCE, for compliance training and recordkeeping.
• Outsource Compliance Support: Engage firms like AdvisorLaw, for CCO services or ongoing reviews to enhance credibility.
• Stay Proactive: Monitor SEC updates via the Investment Adviser Regulation Office’s website to anticipate regulatory changes.

Looking Ahead

Tailoring compliance programs, addressing specific risks, and conducting regular reviews are crucial to meeting SEC standards and protecting your RIA from regulatory and legal challenges. These proactive measures both ensure compliance and build client trust and firm resilience.

In Part 3: Safeguarding Your RIA & Understanding SEC Consequences, we will explore how expert support can strengthen your compliance efforts, detail the severe consequences of noncompliance, and provide a roadmap for navigating the regulatory landscape with confidence.

Stay tuned for actionable insights to secure your firm’s future.

Looking for compliance help? Contact our specialists today for a complimentary consultation.