Observations from Examinations of Advisers that Provide Electronic Investment Advice

On November 9, the U.S. Securities and Exchange Commission’s (SEC) Division of Examinations (Division) issued a Risk Alert that discussed observations from examinations of advisers that provide automated, electronic advice. Digital advisers (also referred to as automated advisers, internet advisers, and robo-advisors) come in many forms and, as noted in the risk alert, can either provide services exclusively online or provide digital investment advisory services as a supplement to the traditional advisory model, leveraging proprietary or third-party software.

The examinations and observations that were conducted under the SEC’s Electronic Investment Advice Initiative (Initiative) was used to help gain a better understanding of how these advisers have been providing advice while still complying with regulatory requirements. While electronic advice has been an SEC examination priority for at least two years, the Initiative focused on how these advisers adhered to their fiduciary duty by providing clear disclosure on their advisory programs and acted in their clients’ best interests.

Areas of focus

The focus areas of the exams fell under two main areas: (1) Provision of Electronic Investment Advice and (2) Use of Discretionary Investment Advisory Programs.

Provision of Electronic Investment Advice

The staff focused on assessing the following:

1. Compliance programs – whether advisers designed and implemented adequate policies and procedures to address robo-specific practices and whether they were tested at least annually
2. Formulation of investment advice – whether sufficient information was gathered to provide advice in a client’s best interest based on each client’s financial situations and investment objectives
3. Marketing and performance advertising – adherence to the advertising rule, including whether advertised securities selection and portfolio management techniques were used in client account management
4. Data protection practices – adequate data protection and cybersecurity policies and procedures
5. Registration – whether certain advisers were eligible for SEC registration

Use of Discretionary Investment Advisory Programs

The staff evaluated whether certain advisory programs could be considered investment companies under the Investment Company Act of 1940 (IC Act) and to what extent they were relying on the nonexclusive safe harbor provided under Rule 3a-4.

Observations

As a result of the exams, deficiencies were identified in each of these areas, though the staff specifically noted observations most often occurred in the following areas:

1. Compliance programs, including policies, procedures, and testing
2. Portfolio management, including fiduciary duty obligations
3. Marketing and performance advertising

The following is a summary of the observations the Division cited in the alert.

1. Compliance Programs
   Policies and procedures were not adequately designed and tested to account for an adviser’s unique operations. This included a lack of policies and procedures that addressed risks created by online platforms and tools, including performance of algorithms and automated processes such as rebalancing. Additionally, policies and procedures were not adequately reviewed at least annually, which in many cases resulted in noncompliance with marketing practices and the “Custody Rule”. Some advisers also violated the “Code of Ethics Rule” by not properly identifying access persons and receiving required holdings and transaction reports and other documentation required under advisers’ codes.
2. Portfolio Management – Oversight, Disclosures and Conflicts of Interest
   Many advisers lacked policies and procedures to test their platforms to ensure they were functioning as intended given the various automated processes that may be carried out.
   
   Many also lacked policies and procedures to test that their platforms were designed in a way to ensure advice is provided in each client’s best interest, based on a client’s investment objectives and financial situations. Where questionnaires were used to collect data, the staff were concerned whether advisers collected enough information to provide suitable advice, and that information from those questionnaires were periodically updated.
   
   Certain advisers failed to adopt policies and procedures related to best execution, which is an issue that all advisers, not just digital advisers, with trading discretion must have controls to address.
   
   Certain advisers failed to include adequate disclosure about conflicts of interest, advisory fees, investment practices, and ownership structure.
3. Performance advertising and marketing
   More than half of the advisers examined made misleading or prohibited statements on their websites, used materially misleading performance advertisements on their website, which included hypothetical performance results on an investment model without adequate disclosure, or provided inadequate or insufficient disclosure about “human” services.
4. Cybersecurity and protection of client information
   Many of the cybersecurity policies and procedures reviewed did not address the firm’s systems and how they would respond to cybersecurity events. The staff additionally noted a lack of compliance with Regulation S-ID, due to a lack of policies and procedures designed to detect, prevent, and mitigate identity theft. The staff also observed a lack of policies and procedures related to privacy under Regulation S-P, and firms failed to deliver initial and annual privacy notices to all clients when required.
5. Registration matters
   Nearly half of the advisers claiming reliance on the internet adviser exemption were ineligible to do so given the requirements under that exemption.
6. Rule 3a-4
   Many of the advisers recommending investment programs commonly provided the same or similar investment advice on a discretionary basis to a large number of clients. Advisers were unaware that those programs may be unregistered investment companies. Some advisers claimed reliance on Rule 3a-4, even when clients with similar investment objectives received the exact same investment advice. Additionally, some advisers’ investment programs did not comply with all the provisions of the safe harbor or have or implement policies and procedures adequate for complying with Rule 3a-4. For example, advisers did not gather enough information pertinent to providing an individualized recommendation in a client’s best interest. Advisers did not allow clients to propose reasonable restrictions in the client’s account or they impeded a client’s ability to do so. Advisers did not contact each client at least annually to update a client’s financial situation and objectives or determine if a client wished to impose a reasonable restriction, and advisers did not provide clients with written notification to contact the adviser with any changes to the client's information.
   
   Rule 3a-4 also provides for the retention of certain indicia of ownership by clients to the same extent as if the clients held the securities and funds of the accounts outside of the investment advisory program. However, the staff observed advisers who limited clients' abilities to make withdrawals from the client’s accounts, did not allow clients to vote proxies or delegate proxy voting to a third-party, did not ensure clients were being sent legally required documentation, or allow clients to legally proceed directly as a security holder against an issuer of a security in the client’s account.

Ways to improve

As a result of the exams conducted, the staff offered some ways to improve compliance programs or practices to consider.

The staff noted that advisers with adequate and effective compliance programs did not have deficiencies in various areas such as portfolio management, custody, and books and records. This suggests that if an adviser takes the time to develop a program customized to its specific business model, it’s less likely that it will be prone to deficiencies, given that controls are put in place to address the relevant risks of the adviser.

The staff also noted common testing practices as it relates to algorithms used by advisers. Advisers that leverage algorithms should consider frequent testing that involves the various functional groups of an adviser, which would include personnel from software development, portfolio management, compliance, internal audit, and IT, as applicable. Additionally, in designing a testing program, automated exception reporting that generates items of interest for review by software development, portfolio management and/or IT staff can be a helpful and valuable control.

The staff highlighted practices employed to safeguard algorithms. It's important that underlying coding be appropriately safeguarded to prevent unauthorized changes. Additionally, advisers should involve compliance personnel whenever changes or overrides to algorithms occur, which will allow an adviser to identify any actions that need to be taken from a compliance standpoint as a result of planned changes to an adviser’s platform.

To the extent an advises leverages the technology of a third-party to provide their digital platform, there should be a mechanism that requires the third-party to notify the adviser if there are any changes to the underlying code that would affect the adviser’s digital platform, or otherwise how the adviser provides advisory services leveraging the third-party’s technology.

ACA guidance

Compliance Programs
The risk alert provides digital advisers a good sense of topics they should address when designing compliance programs around their specific digital advisory practice. There is no surprise that the SEC exam staff expects policies and procedures customized to an adviser’s business. Digital advisers should look at their advisory practice to ensure there are written controls that address the unique aspects of their business model. In order to build a customized program that addresses the relevant risks the adviser’s platform presents, advisers should ensure compliance personnel are involved when a platform is created and when changes are made, so appropriate controls can be implemented. This also provides an adviser’s compliance personnel the opportunity to fully understand what the platform is doing for its clients and to help ensure that disclosures align with actual practices.

Testing
It should also not come as a surprise that testing is expected. While a digital advisory program may offer efficiencies in many ways, advisers need to ensure the automated processes that are put in place are doing what they are designed to do. Clients sign on for an adviser’s services based on the understanding that the adviser is doing what it has represented in its various marketing materials and disclosures. If an adviser doesn’t have controls in place to ensure that systems are functioning as intended, that could mean a large percentage, if not all, of an adviser’s client portfolios are managed in a way that deviates from disclosed practices. That is obviously a huge potential issue that could be perceived as investor harm, and advisers should confirm testing programs are designed appropriately and done with a frequency that makes sense, taking into account the adviser’s particular digital advisory services.

Client Questionnaires
A traditional advisory relationship would allow an individual from the adviser (i.e. an investment adviser representative) to follow up with a client to confirm he or she fully understands a client’s particular situation. When you take that interactive, human element away, the importance of the client questionnaire (or other means of collecting client data) becomes exponentially more important. Client questionnaires (and other mechanisms soliciting client information) should gather sufficient information from clients. While the SEC does not mandate a certain number of questions or which type of information should be solicited, the SEC’s view on this important step in the client relationship is reiterated in the Commission Interpretation Regarding Standard of Conduct for Investment Advisers, whereby advisers should have sufficient information about a client and the client’s objectives in order to create investment advice that suits a client’s situation and is in the client’s best interest.

Rule 3a-4
In the alert, the Division highlighted a topic that was only lightly touched in prior guidance issued by way of an IM Guidance Update issued in February 2017. While it could have been overlooked by some, as it falls under the IC Act, this risk alert shows that it is a topic that all digital advisers need to be conscious of and design policies and procedures to address the rule, depending on its applicability to an adviser’s program.

Best Execution
All investment advisers have a fiduciary duty to obtain best execution of client transactions and should conduct periodic and systematic reviews to evaluate the quality of the execution performance of trading counterparties. As observed by the staff, some of the examined robo-advisers failed to do a best execution review, or were unaware of best execution obligations. ACA has observed that many digital advisers may partner with a particular trading counterparty because of the ability to integrate with the adviser’s technology. These advisers are not exempted from their fiduciary duty to obtain best execution.

Where an adviser partners with a particular trading counterparty because of the ability to integrate with the adviser’s technology or platform, advisers still have an obligation to review that trading counterparty on an ongoing basis to ensure partnership with that counterparty makes sense for an adviser’s digital platform and clients on the platform, analyzing the trading arrangement from both a quantitative and qualitative perspective.

Cybersecurity
Appropriate protection must be built around all aspects of an adviser’s digital advisory offering to ensure the adviser’s systems, including coding that drives such systems, and client assets, are not prone to threats posed by bad actors, whether internal or external. Periodic risk assessments are an essential practice that need to be done by all robo-advisors to ensure each adviser identifies where it has vulnerabilities and builds controls that address each of those identified vulnerabilities.

How we help

ACA offers subject matter expertise within the digital advisory space and can assist in creating, implementing, testing, and reviewing digital advisory compliance programs, corresponding policies and procedures, cybersecurity, and provisions of Rule 3a-4, among others.

Compliance Program Reviews, Mock Exams, and Gap Analysis
We provide periodic testing of firms’ governance and control arrangements, as well as its policies and procedures as mandated by Rule 206(4)-7 of the Investment Advisers Act of 1940.

Portfolio Management / Model Risk and Validation
We assist in reviewing model risk and validation processes to ensure a robust portfolio management process.

Testing
We can help determine testing needs, perform testing, analyze the results, and determine the best path forward if enhancements are needed.

Marketing
We assist with marketing reviews and gap analysis for processes to the new Marketing Rule.

Cybersecurity and Information Safeguarding
ACA Aponix^® provides cybersecurity and technology risk programs, data privacy compliance services, network testing, and advisory services for companies of all sizes.

Registration Matters
We can assist with preparing, maintaining, and filing Form ADV with the SEC.

If you have any questions about these observations, please contact us or reach out to your ACA consultant.