How New Technology and Regulations Will Impact the Future of RIA Compliance May 24, 2017 FPA of Georgia

GJ King President, RIA in a Box GJ is the President of RIA in a Box® which provides compliance and operations support to over 1,500 registered investment adviser (RIA) firms. He is a frequent industry speaker on the topics of RIA compliance, operations, and technology best practices. GJ previously worked in the investment management division of Goldman Sachs serving as a trusted advisor to a select group of high net worth entrepreneurs, families, and foundations. King holds an MBA from the Graduate School of Business at Stanford University and a BA from Brown University.

Disclosures RIA in a Box is not a law firm, CPA firm, or registered investment advisory firm. None of the information presented, advice given, or services rendered should be considered legal, tax, accounting, or investment advice.

Today’s Topics Technology New Rules Form ADV Changes Audit Future System Adoption How it Comes Together New Rules DOL Fiduciary Rule Form ADV Changes Audit Future Stats to Know Big Data Exam Scope & Frequency

Today’s RIA Technology Landscape CRM is the hub.

Integrated RIA Compliance Technology CRM Portfolio Management & Reporting Document Storage Archiving Compliance Platform CRM is the hub.

Your CRM System 48% of RIA firms use a CRM system today* 2015 AUM growth rate: 4.6% vs. 2.0% average Most popular solutions are Redtail and Salesforce General client information and notes Good business practice that is crucial during any regulatory issue Integrated calendar and tasks Documentation of compliance program implementation Client suitability information Top deficiency cited during regulatory exams Client location Is your firm registered in all proper jurisdictions? Documented processes via workflows Internal review and approval processes for investment recommendations Everything should integrate with CRM. Source: 2016 RIA in a Box Technology Survey

Your Portfolio Management & Reporting System 48% of RIA firms use a portfolio management and reporting system today* 2015 AUM growth rate: 3.8% vs. 2.0% average Most popular solutions are Morningstar Office and Orion Form ADV filing information Automatically aggregate and normalizes data across multiple custodians Calculate total regulatory assets under management (“AUM”) Discretionary vs. Non-discretionary AUM by client type Systemized advisory fee billing Manual fee calculation is a major compliance risk Opportunity to determine a “reasonable fee” Systemized review of client portfolio performance Are there any outliers? Orion integration Source: 2016 RIA in a Box Technology Survey

Your Document Storage System 46% of RIA firms use a document storage system today* 2015 AUM growth rate: 4.8% vs. 2.0% average Most popular solutions are DropBox and Box Official books and records Foundation of your firm’s compliance program Organized client documentation Ability to produce required client files Business continuity Ability to access files and continue operations during a business disruption Benefits of cloud storage -> talk about security Source: 2016 RIA in a Box Technology Survey

Your Archiving System ~50% of RIA firms use an archiving system today Some systems focus exclusively on email Some systems archive across all channels (social media, text, etc.) Requirement to keep correspondence and advertising records Can lead to serious regulatory issues Easier compliance monitoring Centralizes capture of all information to allow for easier review Demonstrate “Culture of Compliance” Ability to demonstrate program implementation during an exam Can be expensive

Your Compliance Software Platform 39% of RIA firms use compliance software today Some systems focus exclusively on employee trade monitoring Some systems serve more broadly as your firm’s compliance hub Implement a comprehensive yet efficient program Perform only relevant tasks based on your firm’s profile Centralized compliance program documentation Organize all competed activities in a digital compliance log Supervise staff Track and document all staff attestations and activities Automatically capture all employee trade data More efficiently review employee trades vs. client trades Last frontier of RIA technology Source: 2017 InvestmentNews Adviser Technology Study

DOL Fiduciary Rule This rule does impact RIA firms but it is manageable June 9, 2017: Comply with the Impartial Conduct Standards Example impacted investment recommendation scenarios: IRA rollover from a Qualified Retirement Plan IRA rollover from another IRA Switch from commission-based to fee-based IRA

Impartial Conduct Standards CRM & Doc Management Best Interest Reasonable Compensation Portfolio Management No Misleading Statements

Five Steps to Comply Qualify for streamlined Level Fee Exemption Educate and train all staff members Create an “IRA Investment Recommendation Checklist” Implement a process to review recommendations Establish additional procedures to ensure compliance

Form ADV Changes This rule impacts all state and SEC-registered RIA firms October 1, 2017: New Form ADV becomes effective Significant changes include: Disclose company social media pages Disclose use of outsourced Chief Compliance Officer More detailed AUM information by client type More detailed information on Separately Managed Accounts More detailed information on Wrap Fee Programs

Three Steps to Comply Begin to organize portfolio management and reporting information to mirror Form ADV data fields Ensure that all social media pages are properly archived Document all new required information by October 1, 2017

Establishing the Culture of Compliance While the above statement is a sometimes overused phrase in the RIA compliance world, our team of former regulators can assure you that it is taken very seriously by every regulator in every jurisdiction. If you are successful in demonstrating a “culture of compliance” at your firm and willingly cooperate with the examiners, your exam is more likely to have better results.

Keep the Proper Books & Records Know the rules applicable to your firm SEC Rule 204-2 Georgia Rule 590-4-4-.14 Are you aware of your jurisdiction’s Books & Records requirements? Inspection of the firm’s books and records is a key audit focus Don’t wait to prepare these until requested by the examiner Unique Georgia requirements Specific supervision rules including annual office inspection Make sure you bookmark your jurisdiction’s rules – NJ follows SEC books and records rule SEC: 18 items with subsections ranging from financial statements to client information to policies and procedures and documentation of annual review

Elements of Effective Compliance Program Annual Review Written Policies & Procedures Code of Ethics Staff Training & Attestations Risk Assessment & Compliance Calendar P&P COE – stand alone doc or part of P&P Training of advisory personnel and attestations from them Will move fairly quick through first 3 topics; meat of today’s presentation will be Implementation of your program.

Policies & Procedures SEC has stated: Even small advisers may have arrangements, such as soft dollar agreements, that create conflicts… Advisers of all sizes, in designing and updating their compliance programs, must identify these arrangements and provide for the effective control of the resulting conflicts...We would expect smaller advisory firms without conflicting business interests to require much simpler policies and procedures than larger firms. Policies and procedures requirement applies to all investment advisers regardless of size

Policies & Procedures Rule 206(4)-7 under the Investment Advisers Act of 1940 requires SEC registered investment advisers to: adopt and implement written policies and procedures reasonably designed to prevent violation, by you and your supervised persons, of the Act and rules under the Act. conduct a review, no less than annually, of the adequacy of the policies and procedures and the effectiveness of their implementation. designate a Chief Compliance Officer (CCO) to administer the policies and procedures. Rule 206(4)-7 is a classic area of enforcement. Common mistakes include: has manual but doesn’t implement it, manual that is not tailored, just updates Form ADV but doesn’t implement a program, don’t conduct an annual compliance review, no documentation of any reviews, or insufficiently qualified or empowered CCO

Policies & Procedures (Cont.) At a minimum, the SEC has stated the policies and procedures should address the following (if applicable to an investment adviser’s business): Portfolio management processes – allocation of investment opportunities among clients, consistency of investments with investor goals, disclosures Trading practices – procedures to determine best execution, allocation of aggregated trades among clients Proprietary trading of the adviser and personal trading of supervised persons (Code of Ethics) Accuracy of disclosures to clients and regulators – brochure, advertising Accurate creation and secure maintenance of required records

Policies & Procedures (Cont.) Marketing – use of solicitors Processes to value client holdings and assess fees based on those valuations Safeguards to protect client assets from conversion or inappropriate use by advisory personnel Safeguards to protect client information Business continuity plans If we created your P&P, all of these items are covered in varying degrees depending on your business model. If you’re a new IA or aren’t sure if your P&P cover all these items, I suggest you pull them out and read them. Business continuity: proposed rule from the SEC not finalized, but still expect you to have one as part of your fiduciary responsibility

Code of Ethics Requirement to have language that all supervised persons will comply with security laws. Requirements for reporting of access persons’ personal securities transactions and holdings and pre-approval of IPO investments and limited offerings. Procedures to report violations of the Code and sanctions for violations. Requirement to provide copy and obtain annual acknowledgments. A COE is very important part of your P&P so it gets special attention. The risks addressed by the COE are present in every firm and address activities that pose serious risk of harm to your clients. Often where regulators discover fraud within a firm that hasn’t been caught.

Staff Training & Attestations Provide investment adviser personnel with copies of Policies and Procedures, Code of Ethics, and Privacy Policy. Do they understand them? Individual’s attestation that they have read, reviewed, and understand Initially, annually, or when modified First a note on training: Should not just be a mechanical process of passing out these documents and getting signatures back. Should be a meaningful discussion and meaningful review of these docs so that you are reasonably assured that you and your employee understood what they require. This training, at a minimum, should occur when employee is initially hired and on an annual basis. DO THESE WITH SOFTWARE!

Risk Assessment Neither Rule 206(4)-7 nor similar state rules require a risk assessment; but, the SEC’s initial request for information during an exam asks for: Inventory of compliance risks that forms the basis for policies and procedures Documents mapping the inventory of risks to written policies and procedures Risk assessment can help you create your P&P or if you’ve purchased either an off-the-shelf manual or even an customized manual, you should still use a risk assessment to make sure your P&P adequately address and control the particular risks inherent in your business.

Risk Assessment Four Step Process: Prepare risk inventory Assign a “rating” to each risk identified in your inventory “Map” risks to specific procedures and/or disclosures Review and update, as needed Make sure to update your risk inventory each year when new focus areas or hot topics are identified. Two relevant examples right now: cyber security and the DOL fiduciary rule.

Compliance Calendar Use a compliance calendar to monitor and test your policies and procedures. The calendar should indicate: What is the specific task to be performed When and how often will the specific task be performed Who will be responsible for performing the task Once you’ve done a risk assessment and are comfortable that your P&P cover all the things they should, then you face the task of doing everything your P&P says you will do. A way to manage that task is to create a compliance calendar. USE SOFTWARE FOR THIS! Not performing a task that is specifically included in your written compliance policies and procedures is a red flag to a securities regulator that you may not be implementing your written compliance policies and procedures. 

Compliance Monitoring & Testing Your calendar will have tasks designed to monitor and test your policies and procedures. Monitoring: Keeping track of and checking your procedures on a continuing basis. Testing: Submitting your procedures to evaluation to determine their ability, or inability, to detect and prevent compliance violations.  

Compliance Monitoring & Testing Policy: The firm’s Chief Compliance Officer (CCO) shall be responsible for approving all company advertising and ensuring it is in compliance with jurisdictional regulations. No advertisement shall be distributed without the CCO’s approval. Task: Review and approve advertising. When: As needed: Review and note approval when advertisement placed; Quarterly / Annually: Spot check advertisement records to ensure prior approval was obtained and perform a general internet search for “unapproved” advertising  Look at specific example of task for your calendar. Review and approve content at time ad is placed to make sure no testimonials, appropriate disclosures, fair and balanced, no misleading language. Periodic reviews – Quarterly / Annually – make sure CCO approval is documented General Internet search on your IA and its personnel for any unapproved advertising In each case document the review.

Compliance Monitoring & Testing Policy: The Firm shall bill clients accounts on a quarterly basis and deduct the fees directly from clients accounts. Task: Review client accounts for billing errors. When: Review sample client files every quarter after the most recent billing cycle.  Another example. Procedures say basically that you will manage your clients’ accounts in accordance with their investment objectives.

Annual Review CCO or person designated to conduct a review must assess the adequacy and effectiveness of the compliance program at least annually. Adequacy Has the firm updated its policies and procedures in response to changes in business practices or regulatory requirements? Has the firm conducted risk assessment in response to any changes? Effectiveness Is the firm implementing policies and procedures as designed? Document the annual review and make changes as necessary. Top to bottom review of your compliance program. Checking Adequacy – read slide Effectiveness – if kept compliance calendar and engaged in monitoring and testing throughout the year, then you can be reasonably assured that your program is doing what it’s supposed to do. Make sure you have documentation of that monitoring and testing. Document annual review – P&P are up-to-date; met with and reviewed those with employees; annual attestations.

RIA Examination Frequency What percentage of SEC-registered RIA firms are audited on an annual basis? 11% 18% 27% 43%

RIA Examination Frequency SEC Audit Statistics Examined 30% of total assets under management (“AUM”) in 2014 From 2001 to 2015, total aggregate SEC-registered RIA AUM increased approximately 210% from $21.5 trillion to approximately $66.8 trillion As of February 28, 2017, there are 12,286 SEC-registered RIA firms with a median AUM of $302 million and an average of $5.459 billion AUM SEC exam volume is up 25% in 2017 vs. 2016 11% audit frequency -> expect this number to move closer towards 13-14% in next report with exam volume up 25% YoY Challenge is the number of firms continues to grow at a fast pace -> historical focus on larger AUM firms Sources: 2014, 2015, 2016, and 2017 SEC Fiscal Year Congressional Budget Justifications

Exam Document Preparation Overview slide deck Org chart Joint ventures Client account information Type Custodian E-delivery authorization Custody Value for advisory fees

Exam Document Preparation Lost advisory clients Registration justification Service provider list Policies and Procedures Non-compliance records Review documentation Code of Ethics Trade errors Risk assessment Employee trade records

Exam Document Preparation Litigation records Security list Soft dollar arrangements Custodial agreements Financial statements Trade blotter Advertising materials Advisory agreement

Exam Deficiencies What percentage of SEC RIA audits result in a deficiency being cited? 34% 42% 63% 77%

Referrals to Enforcement Division What percentage of SEC RIA audits result in a referral to Enforcement? 7% 11% 26% 32%

Possible Referral to Enforcement SEC Enforcement Statistics Sources: 2014, 2015, 2016, and 2017 SEC Fiscal Year Congressional Budget Justifications

Deficiencies Source: 2015 North American Securities Administrators Association RIA Coordinated Examination Report

Evolving Audit Scope

Better Data and More Focus The Form ADV Part 1 changes taking effect October 1, 2017 further demonstrate this.

Best Practices Proper documentation Accurate Form ADV documents and disclosures Know relevant requirements Periodic review of client files and marketing Customized policies and procedures Client files: required documents (contracts, investment policy statement, etc.), billing accuracy Marketing materials: from a regulator’s perspective DOCUMENT, DOCUMENT, & DOCUMENT -> you must prove it

Efforts to Increase Audit Frequency 3rd party self regulatory organization (SRO) Congressional bill introduced by Spencer Bachus (formerly R-AL) in April 2012 User fees Congressional bill introduced by Maxine Waters (D-CA) in April 2013 3rd party audits Introduced in May 2014 by former SEC Commissioner Daniel Gallagher at a Financial Industry Regulatory Authority (FINRA) event Increased SEC focus on RIA firms Shift of 100 broker-dealers to adviser exams Hiring more adviser examiners Changing AUM registration threshold Previously raised from $30 to $100 million as part of Dodd-Frank Raising to $300 million would shift around ½ of SEC-registered firms to state level Though not likely, most likely scenario among these is the introduction of 3rd party audits at the federal level to do limited scope exams related to asset verification and fee calculation confirmation.

About RIA in a Box www.riainabox.com @riainabox We support RIA firms with industry-leading registration and compliance services Experience & Expertise 30+ employees including former regulators, advisors, and technologists Have helped register over 3,000 new RIA firms MyRIAComplianceTM Proprietary RIA compliance management software Provide compliance software and ongoing consulting support to over 1,500 RIA firms www.riainabox.com @riainabox