2020 Compliance For RIAs

Cathy Vasilev
07/28/20 4 PM EST
Program Id: 660004611
Average Attendee Rating
Poor Average Excellent

For state and federally registered investment advisers (RIAs), the 2020 compliance landscape comes down to:

Reg BI
Fee calculations

Cash Management
Outside Brokerage Accounts
Personal Trading

The main learning objective of this class is to give CCOs and owners of RIAs what they need to know to fulfill their regulatory responsibilities in the current environment.

Cathy Vasilev is a founder Red Oak Compliance Solutions, which advises 400 RIAs on regulatory compliance. With over 25 years of FINRA and SEC compliance experience at broker/dealers, serving registered reps as well as CCOs and CEOs at RIAs, Cathy co-founded Red Oak to serve RIAs in 2010. She previously served as the Assistant Vice President of Supervisory Systems and Controls at NFP Securities, an independent B/D, and RIA, and also was an Associate Manager for Prudential, where she supervised 75 representatives, performing all compliance functions for the branch. Cathy began her career as a stockbroker for Salomon Smith Barney. Cathy earned a Masters of Business Management degree. She is a member of the Association of Compliance Professionals, National Society of Compliance Professionals,  Compliance and AML Professionals; and maintains FINRA Series 7, 24, 26, 63 as well as Life and Health licenses.


This webinar is eligible for one hour of CE credit towards the CIMA® and CPWA® certifications, CFP® CE, PACE credit toward the CLU® and ChFC® designations and live CPA CPE credit.




2020 Compliance For RIAs Q&A

Gluck: Practically speaking, how does Form CRS differ from the Form ADV? And are all state RIAs not subject to Form CRS? Thank you, Jason.

Vasilev: Yeah. So, currently, none of the states have adopted Form CRS. Oklahoma had come out and said it was going to do it, and then they reneged on it and said they’re not going to do it because there is no ability for a state registered advisor to file it online. They were going to have to file it manually. So, the states are waiting for the CRD system to be amended so that it can be accepted, and then we will start seeing it. It will happen sometime next year, I’m quite certain of that, because states are usually six to nine months behind the SEC.

And Form CRS is a different version of a Form ADV. The Form ADV was required to be written in quote, unquote, “plain English.” You had to have the identified 18 or 19 section, and then you’re registered. Form CRS, they went into great detail about how they want it laid out. There are 10 questions that have to be included in the form that are questions that the SEC has written that are for clients to ask. And you have to say, “Here are 10 questions that you should ask your investment advisor.” They have stipulated very specific verbiage that has to be included in it, and of course they always stipulate the format. So, a lot of firms wanted to just say, “Refer to my Form ADV item four for this information,” and the SEC came back and said, “No, that’s not sufficient. You need to put in what your services are instead of referring it to the document.” You can refer to the ADV for further explanation, but you still have to have the basic inclusions in the document.

Gluck: Cathy, what are examples of conflicts that can not be disclosed and must be mitigated or eliminated?

Vasilev: Most conflicts of interest can be mitigated. A conflict of interest is, “I’m the chief compliance officer and I’m also the chief sales officer. I’m a one-man RIA. I do both.” That can be mitigated. Things that can’t be mitigated, you can’t say, “I’m a Ponzi scheme and I’m going to take all your money and run away” in small print somewhere on the document, and say, “Yep, mitigated. It’s good.” So, you can’t disclose that you’re about to commit fraud and say, “OK, my conflict of interest is fine.”

Gluck: Yeah. Yeah, I disclosed it. Yeah. I disclosed it, so, yeah.

Vasilev: I disclosed it.

Gluck: So, therefore, I can … Yeah. That’s pretty funny. OK, let’s go with this one here. We have a cybersecurity policy based on our IT firm’s model that we modified. And we spoke with them and have documentation with questions and answers, et cetera. We also keep articles on the topic in a file. However, are we more on the basic side of knowledge? What more can we do as a solo shop, since we will never comprehend IT and all of the ins and outs involved in cyber?

Vasilev: The first thing you need to make sure is, if you have a cybersecurity policy, one, you understand what it is that is in that document, written, that you are supposed to be doing. And then you make sure that you adhere to it. No compliance officer and no small firm is ever going to be able to understand IT and understand all of it, but you need to understand what it is the document says you’ll do, and then your doing of it. If it says you have eight-digit passwords, you have eight-digit passwords. If it says that you have a vendor that periodically checks your firewall, then you have a vendor that periodically checks your firewall.

I will say it is quickly approaching [laughs] the step where they’re going to start requiring firms to do penetration tests. Right now, they’re recommending them, but they’re going to start requiring it because the hackers have just become so sophisticated. And it’s so voluminous that it is no longer a “I can’t get hacked. I’m unhackable.” Now it’s just everybody waiting to figure out when their turn is for them to get hacked, because nobody’s unhackable.

Vasilev: And I will say that your best policy is … We write cybersecurity policies. They are based off of NIST, which is one of the two formats that the SEC recommends. You need those IT people to look at it and to tell you what’s reasonable, what isn’t reasonable, can they do this, can they not do this. You need that knowledgeable set of eyes looking at it and helping you to understand where your obligations are, so that you can actually do it.

Gluck: Yeah. I want to show you this. Can you see my screen?

Vasilev: Yes.

Gluck: With the email on it, over here?

Vasilev: Mm-hmm.

Gluck: So, this was a very clever malware scam that I came across just the other day, July 22nd. What you could see is that I forwarded it to my partner, who’s the IT guy in our company, who’s not the IT, but one of … He’s the top CTO. And Steve, I sent him this, because I thought this was really clever. And this is the kind of stuff that Cathy was referring to that is happening all over the place now, where it says, “I need five quantities of the Google gift cards.” They’re faking being me, by the way. So, where it says, up at the top, “From: Andrew Gluck,” they’re spoofing my email. Now, we see, because this was forwarded, this email, so it exposes the fact that the email address is not my email address.

Vasilev: It’s not you.

Gluck: It’s not agluck@advisor products. It’s office@mysecure, which is a very clever address because that looks legit, that mysecure-email-admin. That looks really cool [laughs]. And so, you might overlook that. So, first they sent her an email that spoofed me saying, “Are you available?” And she said to me, “Why did you ask me if I’m available?” She called me later. Anyway, it’s just something that I think everybody needs to watch out for, because this stuff, that’s the kind of thing you meant.

Back to Slide 8: Cathy Vasilev Contact Info and Bio

Gluck: And you can’t see the properties. You can’t see those things, the email address and the links, unless you hover over them, as you say.

Vasilev: Exactly. Mm-hmm. Every single one of my employees has received one of these a week for the past three weeks. And they have taken turns selecting either they came from me, or they came from our CTO, or they came from our office manager, a surprise party. Yeah, they were good.

Gluck: Is there a portfolio performance reporting system that includes billing, et cetera? You mentioned Tamarac and Black Diamond, but are there any—

Vasilev: There’s ORION. ORION’s really good. There’s Charles River. That one’s pricey, but that one is very good. Those are probably the biggest ones.

Gluck: Yeah. There was actually somebody I’ve been talking to about that stuff that I need to take care of that might be interesting for a lot of A4A users. I’ve got to work on that. Now, what if a client’s agreement has one fee schedule from many years ago, and the current AD fee has a different fee schedule? Can’t the advisor keep the prior fee schedule for the applicable clients?

Vasilev: Yes, because they’re grandfathered in based on prior ADVs.

Gluck: Do you have a preference on password managers?

Vasilev: No. Whatever works. There’s a bunch of them.

Gluck: Is there a disadvantage to not using a law firm for compliance because non-attorneys—tough question—aren’t restricted to attorney-client privilege in the event of litigation? Wow.

Vasilev: I’m going to tell you there’s an advantage to using compliance consultants over an attorney because this is what we do every day, all day long, and attorneys do a lot of other things. And they’re very, very good at the things that need to be done for attorneys, but they’re not always as great when it’s just compliance, especially when it’s nitty-grity compliance that has to do with what you do day in and day out. They’ve never done it. They’re just not as familiar with it. Yes, with consultants you do not have the client-attorney privilege. That is true. But there’s so many ways to destroy your client-attorney privilege through emails and copying things to other people that are not party to that contract that sometimes you end up not having client-attorney privilege even though you think you do.

Gluck: OK. Well, we’ve gone over time. I apologize for that. So sorry, everybody, but we’re only about 10 minutes past the hour. And I thank you, Cathy. Cathy Vasilev from Red Oak Compliance. We hope to do this again with you soon. Please, everybody, be constructive. Let us know what we can do to make this really useful to you. Cathy, thank you again. Everybody out there, we’ll see you next time. Thank you again, everybody. Take care.

Vasilev: Thank you, everyone.



More than 50 hours of CFP® CE credit and more than 100 hours of Investments & Wealth Institute® credit on replays available 24/7 to paying members ($120 annually) of
Advisors4Advisors.com. CPAs are eligible to receive CPE for attending live webinars only. To learn how to receive continuing professional education credit viewing webinar replays, please see our detailed instructions.

User reviews

53 reviews

4 stars
3 stars
2 stars
1 star
9.1  (53)
Already have an account? or Create an account
View all reviews View most helpful
Was this review helpful to you? 
Was this review helpful to you? 
Was this review helpful to you? 
Was this review helpful to you? 

Very insightful & helpful

Was this review helpful to you? 
View all user reviews