The U.S. Securities and Exchange Commission's Risk Alert provides additional information regarding the Division of Examination's risk-based approach for both selecting registered investment advisers to examine and in determining the scope of risk areas to examine. It sets out the documents and information that staff will initially request as well as additional requests for information and documents from the adviser the staff may request as the examination progresses. Firms need to be aware that electronic communications–with all of the modalities such as emojis, GIFs, additions and deletions–are specifically included in the regulator's risk-based approach.
Risk-based approach
Some of the reasons the Division may select an adviser to examine include, but are not limited to, one or more of the following:
- the firm's risk characteristics
- a tip, complaint, or referral
- the staff's interest in a particular compliance risk area - one of which is clearly recordkeeping given the recent expansion of enforcement action to include investment advisers.
There are also firm-specific risk factors that the staff considers when selecting advisers for examination, such as those related to a particular adviser's business activities and regulatory history.
Examinations typically include reviewing advisers' operations, policies and compliance practices with respect to certain core areas. Information regarding the compliance program, risk management, and internal controls includes specifically complaints, correspondence and electronic communications. As well as the process for monitoring those communications.
Firms need to be aware that the scope of electronic communications need to be considered. For instance, the expectation is that a firm can identify, capture, search for and retrieve an angry face emoji which may well be deemed a complaint.
During an examination, the regulator's staff will request documents and information and will expect the firm to be able to retrieve all the requested records promptly in order to be able test the effectiveness of the adviser's compliance policies and procedures for monitoring, mitigating, and managing risks. Simple policy maintenance is not enough - firms need to be able to evidence that their policies and procedures are working in practice.
Robust recordkeeping underpins compliance with information requests
The Risk Alert is aimed at registered investment advisers but the need for robust and comprehensive recordkeeping is universal for financial services firms. Without the ability to capture, retain, search and retrieve all relevant records, firms will simply not be able to respond to information requests and, by association, will not be able to evidence their compliance.
Firms may well have done all the right things in all the right ways but unless they can evidence that compliance, it will be seen as a breach by the regulator. Before a regulator even gets to assessing compliance with specific rules and requirements, a firm that cannot produce requested information will be found to have violated recordkeeping requirements.
The Risk Alert gives a general outline as to the likely initial request for information which would typically include:
- general information, which provides the staff with an understanding of the adviser's business and investment activities;
- information about the compliance risks that the adviser has identified and the written policies and procedures the firm has adopted and implemented to address each of those risks;
- information to facilitate testing with respect to advisory trading activities; and
- information for the staff to perform its own testing for compliance in various areas.
All of the above areas will require a firm to be able to retrieve the required information and that can only happen if the firm has already identified, captured and retained the information.
Regulatory patience is running out
The Risk Alert is set against a backdrop of now more than $2.5bn in fines having been imposed for communications recordkeeping failures. Regulators around the world expect firms to learn from enforcement actions and in particular to review whether their own business activities could suffer from the same gaps in compliance. The Risk Alert makes clear that it is describing risks that firms may consider to not only assess their supervisory, compliance, and/or other risk management systems but also to make any changes to address or strengthen such systems.
In practical terms, firms would be well advised to review their approach to communications compliance and ensure that they have appropriate technical controls and evidence to facilitate the capture, retention, search and retrieval of all relevant records, emojis specifically included.
Originally published Oct 16, 2023
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.