The SEC 2023 Examination Priorities: Top Takeaways for RIAs

On February 7, 2023, the Securities and Exchange Commission (SEC) Division of Examinations (the “SEC” and “Division,” respectively) released its examination priorities report (the “Priorities Report”) for the 2023 fiscal year. In the Priorities Report, the SEC identifies areas of focus for the year ahead, which are believed to present the greatest potential risk to investors.

With regard to Registered Investment Advisors (RIAs) to private funds, the SEC has particularly focused on six areas:

1. Compliance with the new Marketing Rule, Advisers Act Rule 206(4)-1
2. Conflicts of interest
3. Information security and operational resiliency
4. Oversight and approval process related to the calculation and allocation of fees and expenses
5. Use of alternative data
6. Compliance with the Custody Rule, where applicable

The SEC will also be focused on RIAs offering crypto or crypto-related assets and emerging technologies (e.g., automated digital investment advice), and Environmental, Social, and Governance-related (ESG) investments and strategies that incorporate ESG criteria.

The SEC will continue to prioritize examinations of RIAs for compliance with their fiduciary duty, particularly in relation to conflict of interest disclosures, investment advice and recommendations, and processes for making best-interest evaluations. During typical exams, the SEC will continue to review core focus areas of the RIA’s operations and compliance program, such as those relevant to valuation, portfolio management, and brokerage best execution. The SEC also mentioned that in addition to the core focus areas, it will review policies and procedures related to the selection and use of third-party service providers and retention and monitoring of electronic communications.

In alignment with its policies of the past several years, the SEC will prioritize examinations of RIAs that have never been examined and those that have not been examined in several years. The commission will also increase its focus on private funds with specific risk criteria, such as those that are:

• Highly leveraged
• Managed side-by-side with Business Development Companies (BDCs)
• Holding certain hard-to-value investments, such as cryptocurrency or real estate investments
• Invested in or sponsor Special Purpose Acquisition Companies (SPAC)
• Private equity funds that use affiliates to provide services to their investors and underlying portfolio companies
• Involved in adviser-led restructurings, including stapled secondary transaction and continuation funds

Below, we’ve highlighted some best practice considerations for RIAs in relation to three core areas of focus that the SEC highlighted in its Priorities Report:

1. Marketing Rule
2. Fiduciary Duty/Conflicts of Interest
3. Information Security and Operational Resiliency

1. Marketing Rule Compliance (Rule 206(4)-1 Under the Advisers Act)

The Marketing Rule is a “significant change” to a “core examination area” and RIAs should expect an examination focused on their compliance with the new provisions that went into effect in November 2022.

Best Practice Considerations

This examination will consider factors such as: Has the RIA adopted the Marketing Rule and developed policies and procedures reasonably designed to prevent violations? Do all the RIA’s materials comply with all provisions of the Marketing Rule including performance advertising, testimonials and endorsements, substantiation of material statements of facts, and third-party ratings, among other requirements?

• Ensure written marketing policies and procedures have been updated in compliance with all relevant provisions of the new Marketing Rule.
• Consider creating a “Committee” to assist with implementation and oversight.
• Designate an “Authorized Person(s)” to review and approve all marketing communications and other relevant marketing activities of the Adviser.
• Review all marketing materials to ensure they comply with the Substantiation and Performance Advertising requirements covered under the new Marketing Rule provisions effective November 2022.
• Maintain records of all marketing and advertising materials disseminated, including performance–related information; internal working papers; and documentation for all oral advertisements, testimonials, and endorsements. 
• Maintain a record of approvals of all marketing materials and relevant communications by the Authorized Person(s).
• Train all Supervised Persons, at least annually, on 206(4)-1 and policies and procedures that have been adopted by the RIA.

2. Standard of Care: Fiduciary Duty and Conflicts of Interest

Best Practice Considerations

The examination will consider factors such as: Does the RIA, as a fiduciary, place its investors’ and clients’ interests before its own, while exercising due care in the decision-making process? Does the RIA have written policies and procedures as well as documentation to demonstrate compliance with its fiduciary obligations (duty of care and duty of loyalty)? 

• Establish written policies and procedures to demonstrate its compliance with its fiduciary duty, including its duty of loyalty and duty of care.
• Identify conflicts of interest that are relevant to the RIA’s business model, product offering, investor base, and compensation structure.
• Demonstrate periodic review and updates, as appropriate.
• Ensure Advisory agreements do not propose to inappropriately waive or limit the RIAs fiduciary duty, as through the common use of “hedge clauses,” even if it is followed with a non-waiver disclosure.
• Review disclosures made to investors regarding conflicts of interest.

3. Information Security and Operational Resiliency

Best Practice Considerations

In this area, the examination will consider factors including: Has the RIA implemented practices to prevent interruptions to mission-critical services and to protect investor information, records, and assets? How does the RIA mitigate the risk of cybersecurity issues associated with the use of third-party vendors and services?

• Develop and conduct a risk assessment to identify, manage, and mitigate cyber risks.
• Adopt and implement comprehensive written policies and procedures to address risks.
• Develop an Incident Response Plan to establish internal and external communication policies and procedures and ensure timely information is provided to all relevant parties as appropriate.
• Assess and document access rights and controls.
• Implement data loss prevention measures (e.g., vulnerability scanning, patch management, inventory hardware and software, encryption, and network segmentation).
• Conduct a third-party due diligence assessment, including a review of their information and cybersecurity framework.
• Establish mobile device security measures, such as an MDM application, the use of Multifactor Authentication (MFA), and the ability to remotely clear data.
• Conduct cybersecurity training and phishing tests for employees, at least annually.
• Ensure policies and procedures are reasonably designed to safeguard customer records including personally identifiable information.

The Bottom Line

While the summary above provides an overview of the SEC Priorities Report’s areas of focus that are most relevant to RIAs of private funds, all registrants are strongly encouraged to review the full SEC 2023 Priorities Report. If you need support implementing these guidelines, the Arootah Business Advisory team is ready to assist you in the development and implementation of best practice assessments or mock audits. Schedule a free strategy call with one of our experienced consultants today.

Sources 

SEC Division of Examinations – 2023 Examination Priorities 

SEC Division of Exams Risk Alert – Marketing Rule – September 19, 2022 

SEC Cybersecurity and Resiliency Observations 

SEC Proposed Safeguarding Rule – Rule 206(4)-2 

Disclaimer: This article is for general informational purposes only and does not constitute legal, investment, financial, accounting, or tax advice, or establish an attorney-client relationship.  Arootah does not warrant or guarantee the accuracy, reliability, completeness, or suitability of its content for a particular purpose. Please do not act or refrain from acting based on anything you read in our newsletter, blog, or anywhere else on our website.