On February 21, 1878, the first telephone book was issued in New Haven, Connecticut. On the same date in 1925, the New Yorker published its first issue. And on the same date in 2013, the SEC published its examination priorities for the year.1 Some have called it the literary trifecta of the millennium. Most readers of sound mind, however, are more likely to rank the SEC’s examination priorities about as exciting as a phone book and about as stuffy as the New Yorker.
Be that as it may, there are still important takeaways that every registered investment adviser would do well to incorporate into his or her compliance program. In the spirit of the SEC’s push to write rules, disclosure documents, and guidance in plain English (see the initiative at www.sec.gov/plainwriting.shtml), I have attempted to translate some of the exam priorities accordingly and interpret what the SEC is really saying to RIAs (in the “voice” of the SEC).
Fraud Detection and Prevention
Please, please, please, don’t do what Bernie Madoff did. It makes us (the SEC) look really bad and, more importantly, it doesn’t engender trust in the financial services industry. We use highly sophisticated qualitative and quantitative tools to analyze and assess RIAs and other registrants, and we are constantly on the lookout for fraudulent or unethical business practices. Put the interests of your clients first, and always act pursuant to your fiduciary duty as an investment adviser. You, as the RIA, are responsible for setting up a system to prevent and detect fraud in your firm. (If the SEC asked you what you do to prevent and detect fraud, how would you answer? More importantly, how would you prove your answer with documentation?)
Corporate Governance and Enterprise Risk Management
We expect you to assess the risks facing your RIA and correlate those risks to your corporate governance framework. More specifically, we want you to account for and manage your firm’s financial, legal, compliance, operational, and reputational risk. Risk management should not be conducted in a silo, but should instead incorporate everyone in the organization from the top down.
Are you a firm that could be affected by climate-related events (think Hurricane Sandy in 2012, the tornado outbreak in 2011, or the Loma Prieta earthquake in 1989)? If so, you’d better take a hard look at your business continuity plan. If your operational processes require a lot of manual calculations subject to human error, consider doing a spot audit of certain calculations. Each RIA will be subject to different risks, and it is important to customize mitigation efforts accordingly. And, as always, document your risk assessment and mitigation efforts.