Monday, July 30, 2018

Cybersecurity remains advisers’ top concern, compliance survey finds

By Amy Leisinger, J.D.

According to a report issued by the Investment Adviser Association and ACA Compliance Group, cybersecurity remains the most pressing concern among advisory firms with nearly two-thirds of companies noting an increase in compliance testing with regard to cyber threats. In their survey, the organizations also found an increased focus on compliance with the SEC’s advertising rule, measures to properly maintain custody of assets, and issues relating to privacy.

Of the 454 investment advisers surveyed, the majority are small businesses in which the chief compliance officers serve in multiple roles. “[T]he job of a CCO is becoming more complex and varied, as demonstrated by the wide range of legal and compliance areas CCOs are responsible for, with new ones being added every year,” said IAA President and CEO Karen Barr.

The survey found that advisory firms are using technology to fill gaps as necessary with nearly 70 percent using some form of it in their compliance programs, particularly in connection with personal trading, codes of ethics, gifts and entertainment, and political contributions. A majority of firms noted, however, that they do not use trading data analytics in monitoring trading activity and do not currently use alternative data research. Forty-six percent of the adviser respondents report that they consider environmental, social, and governance factors in managing client portfolios, and most have policies and procedures designed to ensure that client objectives are being met with almost half using automated compliance systems to do so.

Eighty-eight percent of the adviser respondents stated that they test fee calculations, most on a periodic sample basis; the top tests including ensuring that expenses remain consistent with advisory contracts or offering documents and are explicitly disclosed in the firm brochure. The vast majority of firms also evaluate best execution with respect to equity, fixed income, derivatives, and foreign currency transactions. Approximately one-third of the advisers reported that they do not engage full-service broker-dealers and do not receive proprietary research, and most serve individual clients and have documentation in place respecting, and provide training regarding, aging clients. Most advisers also reported that they do not trade in cryptocurrency, and many also noted an increase in the scope and/or frequency of their compliance testing with regard to cybersecurity issues.

The respondents also noted that the top controls in place relating to the safeguarding client assets include conducting background checks on employees with access and limiting those authorized to transmit trade orders. The most common controls with regard to advertising involve formal CCO pre-approval and reviewing information posted online and provided in new documentation.

With regard to preparation of Form ADV, the respondents cited disclosures relating to separately managed accounts as the most challenging part. Many cited issues with increased reporting of derivatives and borrowing, classification of investments, and determinations as to what qualifies as a separately managed account.