At an A4A webinar last Friday, I covered the major issues compliance RIAs need to know about to be prepared for a regulatory exam in 2014. The session covered a wide range of issues, including some sticky ones about how using an account aggregation application can trigger custody rules that are quite rigorous. Here's below are the questions and my answers. If you have follow up questions, please don't hesitate to post them here. (A4A members ($60 annually) can see a replay of the webinar now.)
Q: You talked about account aggregation apps unintentionally deeming an advisor to have taken custody of a client’s assets. Can you elucidate? Let’s an RIA is using ByAllAccounts, a popular account aggregation app for RIAs to track 401(k) assets, what might you do to trigger a problem?
This Website Is For Financial Professionals Only
A: Aggregation applications are intended to assist an advisor in avoiding custody — and, of course, enhancing their ability to provide advice on all client assets, even those held away. The challenge that advisors face is that many clients expect their advisor to take care of these administrative items. Just like logging into their 401(k) account as the client could possibly result in the advisor having custody, obtaining the client’s credentials to setup the aggregation service gives you the same level of access. These services strive to make it easy for the client to self-administer these accounts to provide the advisor with access. Advisors must resist the urge to accept the credentials and must insist that the client set up the aggregation feature themselves.
Regarding the custody rules: If an advisor has the ability to log into the client’s account as the client and change the contact information (email address, home address, phone, etc.) without some safeguard, the advisor has custody. The regulators look at this situation with the point that they can redirect information so that the client is unaware of what is happening with the account, thereby giving the advisor complete control. Advisors that must access an account at the client should perform requisite due diligence to make sure the level of access does not result in custody.
Q: ByAllAccounts only solves the custody problem with TRACKING, but it does not solve the problem of TRADING the 401k accounts. Advisors must have the client's credentials to place trades. How do you avoid custody if you want to manage 401k accounts?
A: Great question. As discussed above, aggregation tools are great for the investment decisioning, reporting and risk management. However, I have not encountered any tool that will enable trade execution. Some 401(k) providers and platforms allow advisors to create their own account access and link client accounts. However, it is very likely that an advisor in the business will have one, if not many, accounts that don’t provide any tools for the advisor. So the advisor must login as the client to trade. The next safeguard to check is to see if you have the ability to: 1) move money outside the account without the client involvement or 2) if you can change the contact information without notification.
Often withdrawals are handled outside the system or require completion of some additional paperwork. For contact information changes, if the plan sends an email to the client notifying the client that you made the change or sends a letter to the current address of record, that should be sufficient controls to demonstrate that you cannot change the client's information. You will want to validate this through contact to the provider. It would not generally be a good idea to just give it a try.
Q: ByAllAccts still requires us to have the access information for the 401(k), unless we have the client log in for us, which is still very problematic from the point of view of both the client and logistics for the advisor. It does not solve the custody issue.
A: As noted before, the custody rule is truly a burdensome rule and I encourage advisors to speak up about it. Let’s be honest…those that intend to do harm to clients by unauthorized movement of funds are likely not flagging in their ADVs that they have custody. Advisors know every bit of information about their clients, including social security numbers and other private information. Those that wish to do harm already have all the tools they need. I am not sure this rule has any real protections.
To answer the question, it does not solve the custody issue at all if you cannot get your clients to setup the aggregation themselves.
Q: Can you address the question about held-away accounts a little more in detail? How can we substantiate that we are unable to change data without actually attempting to do so on the site, which I would never do?
A: Great question. We don’t want to break the law to prove we are on the right side of it. While there is no great answer to this question, the best approach is to contact the platform, administrator or sponsor for guidance or assistance. The plan sponsor is a fiduciary for the plan, so they should be able to help you get info intended to protect the plan’s participants. I would suggest documenting the efforts, interactions and testing.
Q: We also use ByAllAccounts and we log into client accounts daily to download the data into Portfolio Center. We bill for this service the same as if the money was sitting in Schwab. Do we have to test every account to see whether we can change an email address or request a withdrawal to an address other than the client's? And, Andy - please don't use my name!
A: You do not need to test every account that is on the same platform or using the same administration, just the different providers. Different plans and sponsors may have different settings of some platforms. Through testing and communication with the platform, you will likely be able to determine the appropriate sample set. I would also perform annual due diligence on these accounts and providers to determine if anything has changed.
Q: If I confirm with a 401k plan client the trades to be made, AND contact the investment provider to have them make the trades (either rebalancing existing or future monies), wouldn't this be a work around in lieu of having online account access and making the changes online - if the call to the client is documented and the call to the investment provider is always recorded and there is a confirmation #? Wouldn't this be a way around custody?
A: This is certainly a work around the custody issue as you are not accessing the account to make the trades.
Q: If an advisor is deemed to have custody by virtue of accessing someone's 401k plan, for example, does this then connote custody for ALL other accounts for purposes of the SEC rule?
A: No and Yes. First, if you have custody for one account, you are an advisor with custody and subject to surprise inspections, disclosures, etc. However, you can demonstrate to the auditor that your custody is limited to specific accounts. The can validate the block of accounts to exclude from their examination and focus just on the accounts with custody. The ADV1 also requires that you only disclose the figures for the actual assets where custody applies.
Q: For advisors who have fees deducted quarterly from the custodian, assuming (a) client's have signed off on this arrangement and (b) receive invoices/the quarterly fees prior to the debits, would you see any reason why this would involve custody - using an independent custodian?
A: This is a common area of confusion. Thanks for accurately pointing this out.
FEE DEDUCTION = CUSTODY
However, if the advisor has certain safeguards in place, they do not have to deal with the implications of custody (surprise audits, ADV disclosure, financial requirements). As noted in the question, these safeguards, include:
1) Client account is held at a qualified custodian and the custodian provides the client with statements, at least quarterly.
2) Client provides written authorization to the advisor to have the fee deducted from the account. This is included in both your client agreement and the custodian account opening documents.
3) When the Advisor invoices the custodian, the advisor also sends a copy of the methodology to clients so that they can compare your statement to the custodian statement and have the ability to recalculate the fee.
Note: SEC advisors generally do not need to send the statement to clients as listed in item 3. Most, but not all, state advisors must follow this requirement.
Q: Chris said if you can move money you have custody. When I think of custody I think of can you move money OUT of the clients account -- a la Madoff....
A: Custody in the eyes of the regulators includes not only the ability to move money, but also the ability to redirect information regarding the account without the knowledge of the client. If the advisor is the only person with access to the account information the regulators view the advisor is controlling that account.
Q: Any recommendations for specific tools or software to help manage the compliance process?
A: The best tools for compliance are likely the tools you already have to run the business. The most effective compliance programs are those that are integrated into the operations of your business. Consider your CRM, reporting system, email and document management tools and an intranet as the most important compliance tools. A strong portion of risk management and compliance stems from strong recordkeeping and the ability to identify risks or errors.
A CRM can be a great compliance tool to help you:
- manage and test client suitability
- track gifts and entertainment
- track trade errors
- track complaints
- ensure that you have completed all annual compliance meetings
- develop a compliance calendar and document testing results for a client sample
- deliver your ADV
- document correspondence
Your portfolio reporting system can often generate reports to look at your business from a risk management perspective and not just a client perspective. For example:
- accounts with no/low activity
- accounts with high or low cash balances
- comparison to model, strategy or suitability
- periodic fee analysis
- review of trading costs
- portfolio concentration
- firm level composite portfolio concentration
- transaction level testing and verification
In addition, there are tools available for compliance monitoring, testing and general compliance knowledge. AdvisorAssist provides each client with an Advisor Compliance Portal. The Advisor Portal is a secure, cloud-based application (extranet) that houses all compliance documents, versions, testing activities, compliance certifications, compliance tasks, filings and communications relating to the compliance program. We use this application to avoid version control issues, maintain a sound audit trail and make sure compliance tasks are completed.
Advisors can implement these types of tools for their own business as well. An intranet is right up there with CRM in terms of impact to an organization. While having a network drive creates a common place for storage, it is far too easy to lose control over the structure and content. A well-designed user interface that makes it easy to find the necessary tools, documents, policies, etc. can be invaluable.
An intranet can be very cost-effective to implement. Google Apps for Business, Office 365 Sharepoint, 3rd Party Intranets, Wordpress and Joomla (secured sites) can be implemented without significant cost. As your needs grow you can integrate other tools.
Q: Do you have any recommendations for a sole proprietor? How does one do all this efficiently?
A: Great question. The best answer is to make sure you are not using a compliance program for a large firm. Far too often we encounter single person firms with 200+ page compliance manuals that we leveraged from another firm. The regulators take issue with policies that do not accurately reflect your business model. Make sure to customize and right-size your policies.
In addition to having a compliance program that fits, single person firms should seek outside support. This could be a compliance firm, another advisor that has a similar model, educational resources, etc. There’s quite a bit of information out there, but the rules and expectations continue to evolve. As the single person firm must cover every other aspect of the firm, we often see the compliance for the single person firm slip in favor of other critical business activities.
I suggest maintaining a compliance calendar or checklist to help you chip away at compliance at a steady pace throughout the year. While this rotational approach may be good advice for firms of any size, it has more impact for the smaller firm.
Q: With the way the SEC is now doing the inspections, how do you think exam will be handled when Dodd frank is implemented? I know that’s charged with political considerations, but who do you think will end up regulating RIAs? FINRA?
A: You nailed it – political considerations. FINRA has been quietly maneuvering and lobbying for a role in the RIA segment. While most advisors seek to keep them out of the mix, there is the possibility FINRA will have a role. There is the belief that they may at least obtain the right to examine and oversee hybrid firms. I do not anticipate that the state regulation for advisors will be disbanded.
Q: Some months ago, I (Andy Gluck) posted a blog suggesting the states be given responsibility for regulating RIAs with under $500 million AUM, up from the current $100 million. And I recently heard that one or two of the financial advisor professional associations with a stake in the debate was actually going to lobby regulators for approval of that scheme. Have you heard anything about that?
A: Many states have really increased their effectiveness with respect to the oversight of advisors (Effectiveness measured as increases in examinations, frequency of exams, educational programs, and addressing wrongdoing). There are some states that do not have a supervisory system in place (New York and Wyoming). I think the states are generally doing a solid job, but have some work to do before increasing the burden. There are also a significant number of firms in the $100 to $500 million band. The states will need to ensure they have the talent and resources to address more firms and likely those with more complexity. NASAA groups are working on some harmonization of regulations across states, which would need to be addressed before such a change could reasonable be implemented. An advisor would several hundred million is far more likely to have multiple states. I think the states would need to have a plan to truly leverage the home state examiners.
Q: On slide 21, aren’t these documents just templates you can buy and how to you know the difference between a template kept on file and an implemented policy acted upon by your RIA firm?
A: You can certainly purchase a baseline for your firm, but you do need to customize your compliance documents to reflect the business activities, risks and policies of your business. In addition, just having the documents is not enough. Advisors must know what is in the compliance program to be able to follow its policies.
Q: Can you talk more about the Firm Presentation?
A: The regulators need to understand your business to evaluate how effective your firm is at meeting its compliance obligations. I believe it is best to help articulate your business model to the examiners, instead of having them try to figure it out from document requests. The primary goal of this document is for an efficient audit but it has many other benefits.
- Help the examiners to understand your business model:
- Investment philosophy and process
- Client service model
- Your team and everyone’s roles
- Service providers and technologies you leverage
- Control environment
We find that advisors often don’t articulate all the risk management activities that they perform in a given day, week, month or year. When the topic of compliance comes up, the compliance manual and some testing activities seem to be the focus. As you think about your people, processes and controls consider all the risk management activities you perform.
Q: Do examiners always call before arriving?
A: No, unfortunately. They generally have the ability to just show up unannounced. Many states and the SEC will provide a few days notice for an exam to avoid unfair disruption. However, they generally do not afford enough time that you can perform a rush clean-up of your firm. If the regulators are there for cause, they often will not provide notice.
Q: How can you review your examiner’s background before he arrives?
A: This of course depends on the information you have about who is coming and the general composition of the team. If you have the opportunity to talk with the examiners prior to the exam, take it. Ask about their exam process, expectations for timing, time period under review, and other pertinent information.
Ask who will be coming so that you are prepared. For example, when the SEC comes, you will want to know the specialty or division. Is the examiner from inspections or enforcement. Will there be one, two or more examiners?
Q: What do you mean “request an exit exam?” Do you mean ask to meet with the examiners before they leave your office?
A: “Exam” is the wrong choice of word. Request an “Exit Interview”. Before the end of the onsite exam, request a meeting to share preliminary findings. Remember that their job is to make sure you follow the rules. If there is a deficiency, the sooner you address it the better. The examiners may not be ready to speak to all topics in detail, but will generally provide some directional guidance. It never hurts to be able to state that you corrected the deficiency before the exam concluded and you have a plan to prevent future occurrence.
Q: How friendly can you be with an examiner? Can you ask your examiner to join you for lunch?
A: This is a judgment area. The examiners are there to do a job and typically don’t take anything personal regarding your business. It is certainly OK to be cordial and joining them for lunch may be appropriate for the situation. I would suggest not offer to purchase lunch or anything that can be misconstrued. Making a comfortable environment for the examiner is generally appreciated by them. Remember, they have seen just about everything in their travels. So in short, polite and conservative is the best route.
Q: You talked about putting your examiner in a comfortable spot to work. How long will they be there and should it be in a bullpen or private office?
A: I would suggest that they examiners are provided a private space. You have a business to run while the exam is going on and they have work to do and will need to have private discussions. While you may have nothing to hide, limiting the conversations they have access to and providing a spot that allows them to be efficient is the best approach.
Q: What makes a wrap fee program a wrap fee? How is it different from a TAMP?
A: A wrap fee program is a structured investment program where a single fee is charged to the client. The “wrap fee” includes the advisory fees, transaction fees, and other fees wrapped together in a single fee. A Turn-key asset management program (TAMP) may employ a wrap fee model or have the clients responsible for paying the transaction costs for trades in their accounts.
Q: What is the bare-bones compliance regimen required for a solo, fee-only advisor operating without custody of client assets? What is the realistic risk of penalties for such a ""pure"" advisory practice?
A: This is a tough question to answer. As discussed above, while a solo-RIA is subject to the same rules as a firm with more than one supervised person, there is of course the reality of self-checking and a lack of separation of duties. The rules must be followed regardless of headcount. The best advice for a solo firm is to keep it simple and have a program that is aligned with the operations of the business. As there is one person to execute and supervise, it can be even more important to have good documentation.
Penalties don’t really differ based on headcount. The regulators have a mandate to protect investor interests. In the RIA realm, minor compliance shortcomings typically result in a deficiency letter and an opportunity for corrective action. Fines, suspensions and other actions don’t usually come into play unless there have been clients harmed, failure to supervise, or repeat issues.
Q: Can you have Chris provide an overview of services available from AdvisorAssist and cost estimates for different levels?
A: AdvisorAssist provides several support models for state and SEC advisory firms of all sizes. Our compliance support programs are tailored to the business models, scope of services and general risk model of each firm.
Our Compliance Essentials program is designed for smaller advisory firms. It covers the core annual compliance program for the firm, ADV amendments, maintenance of compliance tools and support in completing compliance tasks during the year. We provide guidance on SEC and state regulations and assist in preparing for and responding to regulator deficiencies. In addition to the core scope, we provide an allocation of flexible consulting hours to assist with other business and compliance projects.
Our Compliance Advantage program expands upon the Essentials, with proactive compliance management meetings, risk assessments, advertising reviews, and other testing. Often firms with more than one supervised person engage for this service level as it includes code of ethics administration and other oversight activities. The Compliance Advantage has different levels based on frequency of calls and the allocation of work between AdvisorAssist and the advisor.
In addition, we also develop customized solutions.
Pricing is determined based on the business model complexity, level of interactions and other aspects of the scope. Our pricing and service options are aligned for advisory firms of all sizes from the single person firm to large national RIAs.