The amendments that were adopted apply to covered institutions[1], and will be effective by December 3, 2025 for larger entities (e.g., Registered Investor Advisers with $1.5 billion or more in AUM, Investment Companies with over $1 billion in AUM, and Broker-Dealer and Transfer Agents that are not smaller entities), and other covered institutions, which are smaller entities are subject to the new rules on June 3, 2026.

So, what does this mean and when do we need to do things under the new rules? Here is a summary of some of the upcoming new rules:

Drafting Policies and Procedures

Policies and Procedures must be drafted for Incident Response Programs, which need to detect and respond to unauthorized access to customer data, be designed to oversee and monitor service providers, and must notify customers when their information has been accessed or used without authorization. Drafting these Policies and Procedures will likely take the most time to make sure the content covers the amendment’s 348 pages.

Notification Requirements

If sensitive customer information is accessed or used without authorization, Firms must notify affected individuals as soon as practicable, but no later than 30 days after discovery. Notification may be delayed upon written request from law enforcement, and such requests must be documented.

Recordkeeping and Annual Notices

Firms shall maintain written records for at least five years, including current and historical records, versions of policies and procedures, incident investigations, customer notifications, service provider oversight documentation, and disposal logs. Version control and annual reviews are required to ensure ongoing compliance.

Strengthened Service Provider Oversight

Firms must enter into agreements requiring service providers to:

• Maintain appropriate safeguards;
• Notify the Firm of incidents promptly;
• Provide information needed for the Firm to meet its regulatory obligations; and
• Cooperate with investigation and remediation efforts.

Conduct Training

• Conduct periodic testing of security controls, including, as appropriate on a risk basis, penetration tests, and vulnerability scans, with such frequency commensurate with the level of perceived risk;
• Perform tabletop exercises simulating data breach scenarios to validate response protocols; and
• Provide mandatory training for all employees on privacy, cybersecurity, and incident reporting obligations.

In short, there will be several changes in the procedures and processes for most RIAs in 2026. As we go through the Holiday season, our focus will first be on the Annual ADV Amendments, which will generally conclude in March. Afterwards, we will work on the new procedures. However, it may make sense not to wait as these rules will have a lot of impact. And, as experience has shown us, our regulators expect conformity rather soon. Please feel free to contact us when you are ready to tackle these rules.

[1] “Covered Institutions” refers to broker-dealers, investment companies, SEC-registered investment advisers, funding portals, and transfer agents.

Highlights:

GENERAL PROHIBITIONS 

First, please be aware that the Rule prohibits the following practices (also called the “General Prohibitions”): 

• Making an untrue statement of material fact, or omitting a material fact that is necessary to make a statement not misleading; 
• Making a material statement of fact that cannot be substantiated;
• Providing information that would reasonably be likely to cause an untrue or misleading implication; 
• Discussing potential benefits without a fair and balanced treatment of associated risks; 
• Referencing specific advice that is not presented in a fair and balanced manner; 
• Including or excluding performance results or time periods, in a manner that is not fair and balanced; and
• Including information that is otherwise materially misleading.

These are principal-based prohibitions and should not be a problem with any compliance program. 

DEFINITION OF ADVERTISEMENT 

The definition of “advertisement” has changed. Under the Rule, “advertisement” contains two prongs: 

1. The first prong includes any direct or indirect communication made that:
   1. Offers advisory services to prospective clients (more than one); or
   2. Offers new advisory services to current clients (more than one).
2. The second prong includes any endorsement or testimonial for which an adviser provides cash or non-cash compensation directly or indirectly. 

This is a substantial change in that the first prong will exclude most one-on-one communications.

TESTIMONIALS AND ENDORSEMENTS

Testimonials and endorsements are allowed, as long as certain disclosure, oversight and disqualification provisions are in place such as:

• Disclosure. Disclosure means that any testimonial or endorsement must be clearly and prominently disclosed whether the promoter is a client and/or whether he or she is being compensated; 
• Oversight and a written agreement. The adviser must oversee that the firm is in compliance with the Rule; 
• Written Agreement. The adviser must seek a written agreement with the promoter, except where the promoter is an affiliate of the adviser or is receiving de minimis compensation (less than $1,000, directly or indirectly);
• Disqualification of Promoters. No “bad actors” can be promoters. 

The key here is that testimonials and endorsements are now allowed under “common sense” conditions. 

THIRD-PARTY RATINGS

The Rule allows the continued use of third-party ratings as long as certain criteria are used when preparing the rating. Some of the criteria are as follows:

• Third-party ratings include ratings or rankings of the firm that unrelated people provide in the ordinary course of business.
• Advisers must have a reasonable basis to believe that any questionnaire or survey used in the preparation of third-party ratings is structured to make it equally easy for participants to provide favorable and unfavorable responses and is not designated or prepared to produce any predetermined results. This requirement ensures that any third-party ratings in ads are unbiased and therefore reliable to investors (from a credible source and presents a complete picture of an adviser’s track record);
• Disclosure to ensure third-party ratings are presented contextually in a way that helps establish the third-party’s trustworthiness. Third-party ratings must disclose as follows:
  • The date the ratings were given and the period of time on which the ratings were based;
  • The identity of the third parties that created and tabulated the ratings; and 
  • If applicable, that advisers provided compensation directly or indirectly in connection with obtaining or using the third-party ratings.

PRESENTATION OF PERFORMANCE INFORMATION

The changes to the performance results are the most substantial part of the Rule and should be carefully reviewed when using performance numbers as part of the firm’s marketing. The following changes affect how the adviser will present “performance” information in advertisements:

• Gross performance can be presented only if net performance is also shown;
• Performance results generally must also show 1, 5 and 10-year time periods;
• Performance results must include all substantially similar strategies; less than all portfolios can be shown if it doesn’t cause results to be materially higher; 
• An extracted portfolio result can be used if the total performance results is also discussed; and
• Hypothetical performance can be used as long as the adviser can ensure that the performance is relevant and abides by policies and procedures that comply with the Rule.

BOOKS AND RECORDS; FORM ADV 

The Rule also has amendments to the books and records rule, and the Commission amended the Form ADV to require advisers to provide additional information regarding their marketing practices to help facilitate the Commission’s inspection and enforcement capabilities. 

CONCLUSION

In summary, the New Marketing Rule will impact your firm and must be implemented by November 4, 2022, one month away. This article aims to set forth the most critical changes. The Rule will require updated and new policies and procedures, likely an amended Form ADV (under Item 14, if Rule 206(4)-3, which will be  replaced, is mentioned), and significant training so that advisers understand what can, and cannot, be disclosed.  While the Rule may be voluminous and technical, we are always here to help you sort through the compliance jargon in order to devise a plan to ensure your compliance requirements are met so you can feel confident your firm is following the Rule properly and prepared for an eventual audit. 

This article does not in any way create an attorney-client relationship. This article should not be seen as legal advice. You should consult with an attorney before you rely on this information.

On Tuesday, April 26th, the SEC’s Division of Examinations (the “Division”) issued a Risk Alert that outlined notable deficiencies observed by the Division’s staff with respect to two key compliance areas:

Section 204A of the Advisers Act of 1940, which addresses the prevention of the misuse of material non-public information (MNPI) by the adviser or any person associated with the adviser; and

Rule 204A-1 (commonly referred to as the “Code of Ethics Rule”), which requires investment advisers to adopt and maintain a Code of Ethics (“Code”) that sets forth the standard of business conduct expected from the adviser’s “supervised persons” (generally all employees, officers, directors and any persons who provide advice on behalf of the adviser and are subject to the adviser’s supervision and control). 

Highlights:

Compliance Issues Related to Section 204A

Section 204A requires advisers (registered and unregistered alike) to establish and implement written policies and procedures reasonably designed to prevent the misuse of MNPI. The Division cited three areas in which its staff observed common deficiencies to policies and procedures:

1. Where advisers used data from non-traditional sources normally used for financial analysis (which the Division termed “alternative data”), but failed to implement appropriate due diligence processes even though the alternative data may not necessarily contain any MNPI. (Examples of alternative data provided by the Division include information gathered from satellite and drone imagery, aggregate credit card transactions, social media and internet searches, geolocation data from mobile phones, and email data obtained from consumer applications and other tools.)

2. Where advisers maintained client relationships with key persons (such as corporate executives or financial professionals) or institutional investorsthat are likely to possess substantial MNPI, but the adviser did not appear to have any procedures in place to assess the risks associated with these “value-add investors”, nor any tracking in place for such client relationships.

3. Where advisers used “expert networks” (networks of professionals who provide consulting and research services in various areas) but neglected to maintain adequate policies and procedures for documenting calls with the consultants and reviewing subsequent trading activity of supervised persons in the securities of publicly traded companies discussed in the consultant calls.  

Compliance Issues Related to Rule 204A-1 (the Code of Ethics Rule)

As previously mentioned, Rule 204A-1 requires all advisers to adopt and implement a Code of Ethics (“Code”) that sets forth the adviser’s standards of business conduct and reflects its fiduciary duties. Upon receipt of the Code (or any written amendment thereto), each supervised person is required to provide written acknowledgement to the adviser. The Division’s staff found instances where the written acknowledgement was not provided, as well as other instances where the adviser’s Code was silent with respect to the written acknowledgement requirement.

Under the Code of Ethics Rule, ongoing identification of “access persons” and their securities holdings (including transactions) is required.  (“Access persons” include supervised persons who have access to NPI related to client transactions or reportable fund holdings, make or have access to client securities recommendations that are non-public, and generally include all officers, directors and partners of the adviser.) The Division outlined several areas related to the monitoring of the adviser’s access persons’ securities transactions and holdings where the adviser’s Code was deficient, required monitoring was lacking, or a combination of both:

• Access persons were not identified by the adviser in accordance with the Code, or the advisor’s Code did not provide a proper definition of “access persons”;
• Access persons had not obtained pre-approval for certain tradesin accordance with the advisor’s Code, or the appropriate “pre-approval provision” did not appear in the Code;
• Periodic holdings/transaction reports were not provided by access persons to the Chief Compliance Officer (“CCO”) as required by the adviser’s Code, or such provision was not addressed in the adviser’s Code;
• With respect to periodic holdings/transaction reports, the Codes of certain advisers did not address the specific content requirement under the Code of Ethics Rule; and
• Certain advisers were unable to produce evidence of supervisory review of the periodic holdings/transaction reports submitted by access persons. In addition, the Division noted instances where policies and procedures were not in place to address the review of the CCO’s holdings/transaction reports to be reviewed by another member – effectively allowing the CCO to conduct a self-review of his/her own holdings and transactions.

The Division referred to the SEC’s Code of Ethics Adopting Release, in which several suggested practices were provided for advisers to consider incorporating into their Codes. Two examples of such practices are:

1. Implementing and distributing a “restricted list” of issuers about which the adviser has inside information, and prohibiting any trades in those securities while they remain on the restricted list; and

2. Implementing procedures to ensure investment opportunities are first offered to clients to avoid having the adviser’s own employees purchase the securities ahead of their clients at a better price.

Final Thoughts:

This summary is intended to provide highlights of the above-referenced Risk Alert.  If your firm actively uses “alternative data” in conducting its business, has “value-add investors” as clients, or is an ongoing user of one or more expert networks, you may find additional guidance in the Risk Alert.

The Code of Ethics maintained by your firm likely already contains the required provisions under the Code of Ethics Rule; most deficiencies are a result of a lapse in documenting a certain review or approval, so it is imperative to maintain the appropriate support to your compliance personnel to ensure ongoing monitoring is maintained.

Please do not hesitate to contact Reymann Law Group, P.A. should you have any questions or wish to have me review any of your own materials that are addressed above. 

On Wednesday, March 30th, the SEC’s Division of Examinations (the “Division”) released its annual examination priorities for 2022, which cited a 20% increase in the number of RIAs over the past five years (from about 12,250 to over 14,800 RIAs). During this period, the number of RIAs with AUM over $10 billion rose by 30%, and total AUM now exceeds $113 trillion – almost 70% more than five years ago. Because the growth of RIAs has outpaced the Division’s own staff increases, the Division will likely lower its current examination coverage target of 15% of RIAs. However, as in past years, the Division intends to continue prioritizing RIAs that have never been examined, as well as those that have not been examined for several years.

Highlights:

1. Examination Focus Areas. The Division stated that it “will prioritize examinations of several significant focus areas that pose unique or emerging risks to investors or the markets, as well as examinations of core and perennial risk areas.” The significant focus areas are:

• Private Funds
• Environmental, Social, And Governance (ESG) Investing
• Standards of Conduct: Regulation Best Interest, Fiduciary Duty, and Form CRS
• Information Security and Operational Resiliency
• Emerging Technologies and Crypto-Assets

2. Fiduciary Duty. The third focus area listed above is, of course, central to all RIAs in that they have a fiduciary duty to their clients, “looking at both duties of care and loyalty, including best execution obligations, financial conflicts of interest and related impartiality of advice, and any attendant client disclosures.” The Division explains that key areas of RIAs it will review include:

(1) revenue sharing arrangements;

(2) recommending or holding more expensive classes of investment products when lower cost classes are available (e.g., RIAs that recommend no transaction fee mutual fund share classes that have 12b-1 fees in wrap fee accounts where the RIA may be responsible for paying transaction fees); 

(3) recommending wrap fee accounts without assessing whether such accounts are in the best interests of clients, including the impact of the move to zero commissions on certain types of securities transactions by a number of broker-dealers; and 

(4) recommending proprietary products resulting in additional or higher fees. Such reviews also will include an assessment of the adequacy of RIAs’:

(a) compliance policies and procedures designed to address conflicts and ensure advice in the best interest of clients, including the cost of investing; and 

(b) disclosures to enable investors to provide informed consent.”

3. Information Security and Operational Resiliency. Information security (and operational resiliency) is a perennial area of focus to all regulators given its critical role to ensuring the data of the RIA and its clients is protected. The Division will review RIAs to determine whether they “have appropriate measures to:

(1) safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;

(2) oversee vendors and service providers;

(3) address malicious email activities, such as phishing or account intrusions;

(4) respond to incidents, including those related to ransomware attacks;

(5) identify and detect red flags related to identity theft; and

(6) manage operational risk as a result of a dispersed workforce in a work-from-home environment.”

The Division intends to review RIAs’ business continuity and disaster recovery plans, as well as to ensure they are complying with applicable privacy and information security regulations.

4. Emerging Technologies and Crypto-Assets. The last significant focus area is Emerging Technologies and Crypto-Assets and stems from the Division’s observation of a significant increase in the number of “robo-advisers” being used by RIAs, and the proliferation of offering crypto-assets as an investment option by RIAs.

5. Overview of the Division’s Examination Program. The Division’s examination of RIAs typically consists of a review “in one or more of the following core areas: marketing practices, custody and safety of client assets, valuation, portfolio management, brokerage and execution, conflicts of interest, and related disclosures.”

6. Policies and Procedures. In any examination of an RIA, it is a sure bet that the Division will review the RIA’s policies and procedures, its compliance program, and the RIA’s disclosure and assessment of its fees and expenses. The following chart summarizes what the Division will be looking for as it reviews these three key areas:

Policies & Procedures will be assessed to determine: 

(1) whether they are reasonably designed to prevent violations of the Advisers Act and its rules, including breaches of the RIA’s   fiduciary duty in violation of the antifraud provisions; and

(2) whether the RIA is reviewing and testing them periodically to ensure they are maintained and updated as appropriate. 

The RIA’s Compliance Program will be reviewed to determine:

(1) whether they address that investment advice is in each client’s best interest (i.e., that they are satisfying their obligations under Regulation BI); 

(2) whether the RIA’s oversight of service providers is adequate; 

(3) whether sufficient resources exist to perform compliance duties; 

(4) to   the extent RIAs use “alternative data or data gleaned from non-traditional   sources as part of their business and investment decision-making processes, whether RIAs are implementing appropriate compliance and controls around the creation, receipt, and use of potentially MNPI (material nonpublic information)”; and

(5) whether the RIA has implemented oversight practices to address any heightened risks. (The Division cites three (3) examples: (a) employing individuals with prior disciplinary histories; (b)   ensuring that a transition from a broker-dealer model to an RIA is in the   client’s best interest; and (c) for RIAs with multiple branch locations, ensuring their compliance program has been enhanced to appropriately oversee the activities of their branches.)

Disclosure and Assessment of Fees & Expenses  will be reviewed to identify any issues pertaining to: 

(1) advisory fee calculation errors, including, but not limited to, failure to adjust management fees in accordance with investor agreements; 

(2) inaccurate calculations of tiered fees, including failure to provide breakpoints and aggregate household accounts; and

(3) failures to refund prepaid fees for terminated accounts or pro-rated fees for onboarding clients.

Final Thoughts:

By conducting these examinations, the Division’s chief objective is to ensure RIAs have adequate and effective compliance programs (including ongoing testing, and training) that are designed to support and protect investors whose assets are entrusted with RIAs. To this end, every RIA should continue to place a high priority on maintaining and complying with their policies and procedures, compliance programs and disclosures (such as their Form ADV, Form CRS and any other client disclosures), and by doing so should result in having a fairly “pain-free” examination by the SEC’s Division of Examination. 

Please do not hesitate to contact Reymann Law Group, P.A. at office@reymannlawgroup.com should you have any questions or wish to have a review of any of your own materials that are addressed above.  

Sources:

The Division’s 2022 Priorities report may be viewed by following this link: https://www.sec.gov/files/2022-exam-priorities.pdf

On December 18, 2020, the Department of Labor (“DOL”) adopted the Prohibited Transaction Exemption 2020-02 (“PTE 2020-02”) in its every-lasting effort to help promote investment advice that is in the best interest of retirement investors. This exemption puts an emphasis on mitigating conflicts of interest and ensuring that the retirement investors are receiving advice that is prudent and loyal.  

The exemption will be necessary in circumstances where an investment professional provides fiduciary investment advice to plan sponsors, plan participants, or IRA owners, and receives payment which potentially creates a prohibited transaction, and therefore, to avoid breaching a prohibited transaction the professional will be able to comply with the exemption. Timewise, the exemption was first effective on February 16, 2021, but the DOL provided transitional relief through December 20, 2021. Notwithstanding this relief, the financial industry requested additional time and the DOL on October 25, 2021, granted the additional time as described below. The following summary provides general insight into PTE 2020-02, including the new transition periods: 

Highlights:

1. Who is eligible to use the exemption? Basically, anyone in financial services such as investment advisers, broker-dealers, banks, insurance companies, and their employees, agents, and representatives who provide fiduciary investment advice and who therefore may run afoul of the ERISA prohibited transaction rules.

2. What are the conditions to this exemption? There are number of conditions to the exemption, including the following: 

•   Disclosure – the investment professional must acknowledge their fiduciary status in
      writing and disclose their services and any material conflict of interest; further
      disclosure must be made providing the reasons the recommendations are in the
      retirement investors’ best interest; 
•   Impartial Conduct – this requires the professional to investigate and evaluate any
      recommendation under a prudent standard, must act with undivided loyalty to the
      retirement investor, charge no more than a reasonable compensation, comply with the
      best execution rule, and avoid making any misleading statements; and
•   Policies and Procedures – implement written policies and procedures designed to
      ensure compliance with the Impartial Conduct Standards; these procedures must also
      require an annual retrospective compliance review. 

3. DOL’s Timeline. As noted, on October 25, 2021, the DOL announced under Field Assistance Bulletin 2021-02 (“FAB 2021-02”) that the DOL will not pursue prohibited transaction claims against fiduciaries as follows:       

How RLG Can Assist?

The new Rules discussed in this article will result in practice changes for investment adviser fiduciaries. If you are not sure where to start, RLG can review your current compliance manual and suggest changes that will assist with helping you meet your obligations. We recommend you pay close attention to the DOL’s timeline above and not wait until the last minute to implement your new policy.  

Sources:

U.S. Department of Labor News Release-October 25, 2021

Federal Register

FAB 2021-02

This article does not in any way create an attorney-client relationship. This article should not be seen as legal advice. You should consult with an attorney before you rely on this information.