The SEC Declares “You All Fail” - Summary of Recent SEC Examinations into Advisers Offering Electronic Investment Advice

The number of investment advisers offering automated digital investment advisory services to their clients is on the rise. Accordingly, the SEC recently conducted a series of examinations to assess the compliance programs of “robo-advisory services” under a project called the Electronic Investment Advice Initiative (the “Initiative”). In order to assess a broad base of firms, the SEC selected advisers with differing business models, client types, assets under management and bases for registration with the SEC, including, advisers that: (1) provide robo-advisory services to employer-sponsored retirement plans (“retirement plans”) and/or retail investors; (2) sold, licensed, or otherwise granted interactive, digital platform access to third parties; and/or (3) provided advisory or sub-advisory services to an interactive, digital investment platform.  In summary, the results are bleak and the SEC noted observations of compliance deficiencies across the industry. 

Frequently Identified Compliance Deficiencies

The SEC noted that most advisers had inadequate compliance programs as a result of either a lack of written policies and procedures, or ones that were insufficient for their business operations. Others had policies that were designed but not implemented or they failed to adequately test those policies to ensure compliance and effectiveness. Other policy and procedure failures included:

1. Electronic Investment Advice.

Compliance Programs:

• Failures to design and implement policies and procedures to ensure algorithms were performing as intended.
• Failures to design and implement policies and procedures to ensure asset allocations and/or rebalancing services were occurring as disclosed to investors.
• Failures to design and implement policies and procedures to ensure that data aggregation services (particularly which provide direct access to client’s credentials) did not endanger the safety of client assets.
• Failures to undertake annual reviews of policies and procedures to assess their adequacy and effectiveness.
• Failures to detect inadequacies or non-compliance with marketing and performance advertising practices.
• Failures to ensure compliance with the Code of Ethics Rule¹, including the failure to identify access persons and ensure receipt of written acknowledgements.

Portfolio Management Oversight:

• Failures to test and ensure that investment advice generated by automated digital platforms was commensurate with the investor’s investment objectives.
• Failures to collect the appropriate data points from customers in order to insure the resulting investment advice was appropriate for each individual investor.
• Failures to ensure that changes in an investor’s financial circumstances, objectives or risk tolerances were captured and acted upon.
• Failures to test and ensure that algorithms were producing intended and consistent results and that rebalancing and trade orders processed correctly.
• Failures to design and implement policies and procedures for satisfying best execution obligations.
• Failures to conduct periodic tests and reviews to ensure best execution compliance.

Portfolio Management – Disclosures and Conflicts:

• Failures to ensure accurate and complete ADV filings, including adequate disclosures involving conflicts of interest, advisory fees, investment practices, and ownership structures.
• The use of “hedge clauses” or exculpatory language in advisory agreements that did not align with fiduciary duty standards.
• Failures to disclose the relationship and shared fees with third parties.
• Failures to adequately describe how the adviser collects and uses information gathered from investors for the purpose of generating a recommended portfolio.
• Failures to adequately describe when and how rebalancing occurs in portfolios.
• Failures to describe processes for calculating profits and losses from trade errors. 
• Failures to remain consistent across advisory disclosures with respect to the calculations of advisory fees.

Performance Advertising and Marketing:

• Failures to remain fair, accurate and balanced with regard to statements published on websites, including:
  • The use of vague or unsubstantiated claims that could be misleading;
  • Misrepresenting SIPC protections by implying accounts would be protected from market declines.
  • The use of press logos (e.g., ABC, CNN, Forbes) without disclosing their relevance.
  • Providing references or links to positive third party commentary without disclosing relevance or conflicts of interest.

Cybersecurity and Safeguarding Customer Data:

• Failures to design and implement policies and procedures for protecting an adviser’s systems and responding to breaches upon occurrence.
• Failures to design and implement policies and procedures to detect, prevent and mitigate identity theft.
• Failures to design and implement policies and procedures to ensure compliance with Regulation SP².
• Failures to deliver initial and/or annual privacy notices to investors. 

Registration Issues:

• Nearly half of the advisers claimed reliance on the Internet Adviser Exemption³ despite ineligibility and many were not otherwise eligible for registration with the SEC even though they made such filings. Examples included:
  • Advisers that did not have an interactive website.
  • Advisers that supplemented their interactive website by providing advisory personnel for financial planning purposes.
  • Some adviser’s affiliates were operating as unregistered investment advisers because they were operationally integrated with their respective advisers and were prohibited under the Advisers Act Rule 203A-2(e)(iii)⁴ from relying on their respective adviser’s registration as a basis for their own.

2. Discretionary Investment Advisory Programs

Reliance on the Nonexclusive Safe Harbor Provisions of Rule 3a-4:

• In some instances, advisers indicated a reliance on the Rule 3a-4⁵ safe harbor but did not follow its strict requirements. For example, certain firms provided virtually the same or very similar advice to a large portion or all of their clients without individualizing advice and enabling clients to maintain certain indicia of ownership over securities, both of which are required for application of the safe harbor.
• Failures to claim Rule 3a-4 or any alternative protection thus rendering them unregistered advisers.

Establishing Client Accounts:  

• Failures to gather adequate data points from clients, whether from a questionnaire or otherwise, to ensure that generated advice is individually tailored to the investor and within their best interests.
• Failures to permit clients to impose reasonable restrictions on the advice rendered, such as limitation on the types of investments included within their portfolios.
• Failures to disclose to clients that they could impose reasonable restrictions on the advice rendered to them.

On-going Communications:

• Failures to communicate with clients annually for the purpose of updating client objectives and other relevant data, and to determine if the client wishes to impose any reasonable restrictions, or modify existing restrictions, on the management of a client’s account.
• Failures to communicate with clients at least quarterly for the purpose of soliciting changes to account profile information.
• Failures to adequately notify clients about the management of their accounts and in order to make themselves available to clients for consultation.

Account Statements: 

• Failures to provide clients with account statements that adequately inform clients regarding their accounts and related performance at least quarterly as required for Rule 3a-4 safe harbor protection.

Client Rights:

• Failures to ensure that clients retained certain indicia of ownership with regards to their securities as required for Rule 3a-4 safe harbor protection, including:
• the ability to freely withdraw cash or securities from their accounts;
• the ability to freely vote proxies or delegate such rights for all securities within their accounts;
• the ability to receive legally required documents, such as prospectuses and trade confirmations, for all investments; and
• the ability to pursue legal rights against the issuer of any security contained within their accounts.

SEC’s Suggestions for Improvement

In conducting its examinations, the SEC did make some positive observations about compliance programs and offered the following as affirmative ways for firms to improve in this area:

• Adopt, implement, and follow written policies and procedures that are tailored to the adviser’s practice, including provisions for adequate and appropriate client disclosures, marketing, portfolio management, best execution, custody of client assets, maintaining books and records, and operating consistent with a client’s best interests.
• Test algorithms periodically (quarterly is advisable) to ensure they are operating as intended, and consider the following:
• the involvement of representatives from portfolio management, compliance, internal audit and information technology groups.
• adding a degree of independence into the review; and 
• the inclusion of exception reports to surveil for anomalies and compliance related issues,
• Safeguard algorithms by limiting code access to prevent unauthorized changes or overrides.

Conclusion

While the topic of electronic advice seems to be a new focus for assessment by the SEC, we anticipate, given the noted widespread compliance failures noted herein, that examiners will continue to focus in this space for the foreseeable future. Transparency, compliance, testing and continuous improvement seem to be overarching SEC themes. Accordingly, those firms offering automated electronic investment advice to clients would be best advised to review their compliance programs to ensure compliance, focus and transparency. If you have questions on this topic or need assistance with securities regulatory or litigation matters, please reach out to us as we would be delighted to help with your needs. 

1. 17 CFR § 275.204A-1 - Investment adviser codes of ethics. This rule promulgated under the Investment Advisers Act requires an investment adviser registered or required to be registered under the Act to “establish, maintain, and enforce a written code of ethics.” Included in the rule’s five minimum requirements is that an adopted code of ethics include “provisions that require all of your access persons to report, and you to review, their personal securities transactions and holdings periodically.” § 275.204A-1(a)(3). The rule defines “access person” as a supervised person “who has access to nonpublic information regarding any clients’ purchase or sale of securities, or nonpublic information regarding the portfolio holdings of any reportable fund, or who is involved in making securities recommendations to clients, or who has access to such recommendations that are nonpublic.” § 275.204A-1(e)(1). Additionally, for advisers for whom providing investment advice is their primary business, all directors, officers and partners are presumed to be access persons. Id. Advisers must also provide supervised person with a copy of the code of ethics and a requirement that they sign a written acknowledgment of receipt. §275.204A-1(a)(5). The rule provides additional requirements for internal reporting to a chief compliance officer, exceptions to reporting requirements, pre-approval of certain investments, and exceptions for small advisers (those with only one access person).

2. 17 CFR § 248.30 – Procedures to safeguard customer records and information; disposal of consumer report information. Regulation SP was promulgated under the Gramm-Leach-Bliley Act to govern the treatment of consumer nonpublic personal information by financial institutions. It provides requirements for notice to consumers regarding privacy policies, description of the conditions under which a financial institution may disclose such information to nonaffiliated third parties, and offers a method for consumers to opt out of disclosures. § 248.1. The specific rule pertaining to investment adviser policies and procedures states that “every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” § 248.30(a). It further requires that policies and procedures “be reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Id. The rule also provides for proper methods of “disposal” of consumer report information.

3. 17 CFR § 275.203A 2(e)-Internet investment advisers. This provision allows an “internet investment adviser” to register with the Securities and Exchange Commission if it “provides investment advice to all of its clients exclusively through an interactive website, except that the investment adviser may provide investment advice to fewer than 15 clients through other means during the preceding twelve months.” § 275.203A 2(e)(1)(i). An investment adviser utilizing this exemption may not have an affiliated investment adviser which they control, are controlled by, or have common control with, register with the Commission solely in reliance on the internet investment adviser’s registration. § 275.203A 2(e)(1)(iii). The exemption also defines “interactive website” as one “in which computer software-based models or applications provide investment advice to clients based on personal information each client supplies through the website.” § 275.203A 2(e)(2).

4. See previous endnote.

5. 17 CFR § 270.3a-4 Status of investment advisory programs. This rule provides a “nonexclusive safe harbor from the definition of investment company for programs that provide discretionary investment advisory services to clients.” § 270.3a-4(Note). In order to qualify for the safe harbor, advisers must provide discretionary advisory services that meet a very specific list of characteristics. These required characteristics ensure that the services provided are tailored the individual client’s financial situation and investment objectives, as well as provide the client with the ability to impose reasonable restrictions on the management of the account. If the services they provided to clients fail to meet the detailed list of requirements set out in the rule, advisers relying on the safe harbor may be operating as unregistered investment advisers.