TOP STORY—OCIE outlines compliance issues with advisers providing robo-advisory services - 12 November 2021
OCIE staff issued a deficiency letter to nearly every adviser it examined, with problems most often relating to compliance programs, portfolio management, and performance advertising.
In a series of examinations to assess the practices of investment advisers providing robo-advisory services, the SEC’s Office of Compliance and Inspections (OCIE) observed a number of compliance issues which it has outlined in a new risk alert. Along with the deficiencies, the staff offered recommendations on how advisers can improve their compliance.
Advisers have been providing automated digital investment advisory services (“robo-advisory services”) for more than 20 years, but the staff noticed a recent spike in the number of advisers choosing to provide these services. The advisers either exclusively provide online services or supplement their traditional investment advisory services by using proprietary software and/or third-party software.
In light of the sudden increase in robo-advisory services, and as part of its electronic investment advice initiative (“eIA Initiative”), OCIE conducted the examinations to assess the practices of advisers providing such services. The exams focused on how robo-advisers were upholding their fiduciary duty to provide clear and adequate disclosure regarding the nature of the advisers’ services and performance history, and act in their clients’ best interests.
OCIE said that nearly all of the examined advisers received a deficiency letter. According to the risk alert, the problems most often occurred in the areas of compliance programs, including policies, procedures, and testing, portfolio management, including, but not limited to, an adviser’s fiduciary obligation to provide advice that is in each client’s best interest, and marketing/performance advertising, including misleading statements and missing or inadequate disclosure. OCIE also observed that some advisers were relying on, but not acting in accordance with, the Internet adviser exemption and Investment Company Act Rule 3a-4.
Compliance programs. The OCIE staff found that most advisers had inadequate compliance programs, usually because they lacked written policies and procedures, or had procedures that were insufficient for their operations, or were unimplemented or untested. OCIE observed advisers that did not include elements in their policies and procedures specific to their use of an online platform and/or other digital tools for providing investment advice, such as assessing whether the advisers’ algorithms were performing as intended and whether asset allocation services were occurring as disclosed.
OCIE found that a number of advisers failed to undertake a sufficient review of their policies and procedures at least annually to determine their adequacy, and the effectiveness of their implementation. Many advisers did not detect inadequacies or non-compliance with their marketing and performance advertising practices, and several failed to recognize that certain practices constituted custody, causing the adviser to violate the Investment Advisers Act’s custody rule, according to the risk alert.
OCIE also determined that a number of advisers did not comply with Investment Advisers Act Rule 204A-1, known as the “Code of Ethics Rule.” Specifically, OCIE staff observed that some advisers did not receive the required holdings and/or transaction reports from all access persons, obtain or maintain the required written acknowledgments from all supervised persons confirming receipt of the advisers’ codes; and/or include in their codes all required provisions.
Portfolio management. In the area of portfolio management, the deficiencies fell into the areas of oversight and disclosures and conflicts. Oversight issues included not testing the investment advice generated by their platforms to clients’ stated or platform-determined investment objectives. OCIE observed that advisers either lacked written policies and procedures that would allow the firms to develop a reasonable belief that the investment advice being provided to clients was in each client’s best interest based on the client’s objective, or adopted policies and procedures that were inadequate or not followed. Many also lacked written procedures related to the operation and supervision of their automated platforms, and related to the prevention of violations of legal requirements related to their duty to seek best execution.
With respect to disclosures and conflicts, OCIE observed inaccurate or incomplete disclosures in many advisers’ Form ADV filings, including those related to conflicts of interest, advisory fees, investment practices, and ownership structure. Some advisers had third parties recommend the advisers or provide execution services for advisory clients but did not disclose that the parties were actually affiliated with, and received compensation from, the advisers for the referrals, trades executed, or both. OCIE also found that advisers omitted or had insufficient disclosure regarding how they collect and use information gathered from a client to generate a recommended portfolio, omitted disclosures regarding processes for addressing profits and losses from trade errors, or provided inconsistent disclosures regarding advisory fee calculations.
Performance advertising and marketing. OCIE found that more than one-half of the advisers it examined had advertisement-related deficiencies. The staff observed that some advisers made misleading or prohibited statements on their websites, or used materially misleading performance advertisements on their websites, including hypothetical performance results of an investment model applied retroactively without including disclosures that would make the presentation not misleading.
OCIE determined that some advisers provided inadequate or insufficient disclosure about “human” services. This included whether interactions with live individuals are available, mandatory, or restricted; whether they cost extra; or whether the client is assigned a financial professional.
Cybersecurity and protection of information. OCIE found that while all of the advisers had business continuity plans, and the majority had implemented written policies and procedures regarding identifying and recovering from cybersecurity events, fewer advisers had procedures that addressed protecting the firm’s systems and responding to such events. OCIE also observed advisers that were not in compliance with Regulation S-ID, Regulation S-P, or both because they: 1) had “covered accounts” but lacked written procedures designed to detect, prevent, and mitigate identity theft, 2) lacked or did not implement written policies and procedures addressing compliance with certain elements of Regulation S-P, and/or 3) did not deliver initial and annual privacy notices to all clients when required to do so.
Discretionary advisory programs. The risk alert includes details on the staff’s review of the use of discretionary investment advisory programs by more than two dozen advisers under the eIA Initiative. In these examinations, the staff assessed whether the programs provided each retail client with individualized treatment and enabled clients to maintain certain indicia of ownership of the securities in their accounts as required for reliance on Investment Company Act Rule 3a-4.
Where the staff observed that compliance with Rule 3a-4 was not specified, it reviewed whether alternative measures that addressed their status under the Investment Company Act were being employed. OCIE also examined whether advisers had adequate disclosures about the programs that addressed implications under the Investment Company Act and had adopted and implemented effective written procedures to address the provisions of Rule 3a-4 or any alternative measures employed to address Investment Company Act status questions.
Staff recommendations. The risk alert includes a section with OCIE staff suggestions on ways to improve compliance. For starters, the staff recommends that advisers adopt, implement, and follow written procedures tailored to the adviser’s practices. Next, advisers should test algorithms periodically to ensure that they are operating as expected.
The staff stated that at advisory firms where algorithm-related testing was performed at least quarterly, it observed the following practices: 1) testing frequently was performed by the advisers’ algorithm designers or software developers, but rarely in isolation—most included one or more other groups in their testing process, such as portfolio management, compliance, internal audit, and IT staff; 2) where compliance was included in the process, compliance staff performed independent testing and also relied on work performed by others, and 3) exception reports or other reporting mechanisms commonly were used and frequently involved a combination of high-level and account-specific results.
OCIE staff also recommends that advisers use safeguards to prevent unauthorized algorithm changes. Best practices include exclusively limiting code access to certain persons, and providing compliance staff with advance notice of substantive algorithm changes or overrides.
© 2021 CCH Incorporated and its affiliates and licensors. All rights reserved.