Complete Guide to RIA Compliance: Best Practices for Navigating Regulatory Changes

RIA Compliance Checklist 

Below is a comprehensive checklist of the essential information that you must familiarize yourself with to ensure full compliance of your new RIA firm with the appropriate governing bodies. Regardless of where you’re at in the process, the following are the seven key factors that warrant careful examination throughout the journey.

1. Draft your form filings and documentation 

To effectively register your Registered Investment Advisor (RIA) firm with the appropriate regulatory bodies, it is crucial to prepare and organize the necessary form filings and documents.

While not all the forms listed below are required at the initial stage (although most are), it is important to note that exceptions and exemptions exist. However, it is imperative to have these forms readily available in case of an audit by the authorities.

• • Form ADV (discussed above)
  • Policies and procedures manual:  In November 2020, the North American Securities Administrators Association (NASAA) introduced a new model rule aimed at providing clarity on the necessary policies and procedures that RIA firms must have in place. According to this rule, investment advisors are required to address the following key areas:

    • Compliance Policies and Procedures: RIAs must establish, maintain, and enforce written policies and procedures that are reasonably designed to prevent any violations of the Uniform Securities Act of 1956 and the related rules adopted by the securities administrator.

    • Supervisory Policies and Procedures: RIAs must develop, implement, and enforce written supervisory policies and procedures that are reasonably designed to prevent any violations of the Uniform Securities Act of 1956 and the related rules by their supervised individuals.

    • Proxy Voting Policies and Procedures: If an RIA has the authority to vote on behalf of clients, they must clearly outline the process and adhere to written policies and procedures. In cases where the firm lacks authority to vote on client securities, this should be disclosed to clients.

    • Physical Security and Cybersecurity Policies and Procedures: RIAs must establish, implement, update, and enforce written policies and procedures that ensure the confidentiality, integrity, and availability of both physical and electronic records and information. The design of these policies and procedures should be tailored to the specific business model of the RIA, considering the firm’s size, services offered, and number of locations.

    • Code of Ethics: As mentioned above, RIAs must maintain a comprehensive written code of ethics that outlines expected employee conduct and outlines the appropriate actions to be taken in the event of a Code of Ethics violation.

    • Material Non-Public Information Policy and Procedures: RIAs must establish, maintain, and enforce written policies and procedures that are reasonably designed to prevent the misuse of material, non-public information by the RIA or any individuals associated with the firm.

    • Business Continuity and Succession Plan: RIAs must create, maintain, and enforce written policies and procedures that address business continuity and succession planning.

  • Investment Advisory Contracts:  It is crucial to carefully consider the creation and maintenance of investment advisory agreements. Although this is not explicitly required for an SEC RIA application, most states scrutinize client contracts during the registration process. 

  • To ensure the integrity of your contracts, reflect on the following queries:

    • Does your firm possess appropriately executed written client agreements for each client relationship?

    • Do the fees, fee calculation methods, and billing frequency align with the client’s invoicing?

    • Are the firm’s current services and discretionary authority correctly outlined in the executed agreement?

    • Does the contract contain any hedge clauses that may conflict with your firm’s fiduciary responsibility? 

  • Licensing Requirements for Investment Advisor Representatives (IARs):  If you are establishing your own Registered Investment Advisor (RIA), it is likely that you already possess a Series 7, 65, or 66 license (or an equivalent professional credential). This is an opportune moment to ensure the currency and compliance of all your credentials, aligning with the regulations of the governing bodies under which you plan to register.

2. Register Your RIA with the Proper Authorities 

To ensure compliance with regulatory requirements, it is necessary to register your Registered Investment Advisor (RIA) with the appropriate authorities. Registration procedures may vary depending on different factors as detailed below.

• • Registration with the U.S. Securities and Exchange Commission (SEC):
    

• • • Typically, advisory firms starting an RIA with assets under management (AUM) of $100 million or more are required to register with the SEC as an RIA. However, there are exceptions to this rule.

    • For instance, advisory firms based in New York must register with the SEC if their AUM exceeds $25 million. Additionally, firms that serve as advisors to investment companies registered under the Investment Company Act of 1940 must register with the SEC regardless of the AUM.

    • Moreover, RIAs required to register in 15 or more states are generally required to register with the SEC, irrespective of AUM. For further detailed information, refer to the SEC’s comprehensive document titled, “Regulation of Investment Advisers by the U.S. Securities & Exchange Commission.“

  • Registration with the State:
    
    • With exceptions considered, prospective RIA firms with less than $100 million in AUM should register with the relevant state authority rather than the SEC. Generally, an advisory firm must register in any state where it meets one or more of the following criteria:
    • Has a physical location or office.
    • Has a representative physically located.
    • Has five or more clients (or a single client in Texas and Louisiana).
    • Is physically soliciting in that state.

  • It is important to note that registration requirements and processes may vary from state to state, and there may be exceptions to the general guidelines.

  • It is worth mentioning that Registered Investment Advisors (RIAs) are not required to register with the Financial Industry Regulatory Authority (FINRA), as FINRA does not have regulatory authority over RIAs. However, FINRA does facilitate the online filing system for the registration of RIAs and their Investment Advisor Representatives (IARs).

3. Choose Your CCO

As experts in RIA compliance consulting, we frequently encounter the question, “Is it necessary for my firm to recruit a dedicated CCO?” The response, much like many facets of RIA compliance, is contingent upon various factors.

All RIAs, regardless of size, are obliged to have an internal CCO, although it may be someone who also handles additional responsibilities. In many instances, the advisor-owner assumes this role during the early stages of the RIA’s establishment, which comes with its own advantages and disadvantages.

• • Advantage: It eliminates the expenses associated with hiring a full-time CCO.
  • Disadvantage: The CCO may not possess extensive knowledge and expertise in RIA compliance.

As mentioned above, working with a partner like Integrated Financial Group can help curb the costs and concerns of maintaining compliance. Among other services, IFG advisors gain access to experts that specialize in compliance support. For more information, check out our financial planning services.

4. Safeguard your firm from cybersecurity threats 

With the ever-expanding array of threats, like phishing scams, malware, ransomware, and trojans, it’s crucial to protect your RIA firm’s sensitive information. As digital technologies become increasingly integral to running an RIA, cybersecurity poses a more dangerous challenge.

Ensuring the safety of your firm and clients is no longer just a best practice but a necessary step, as failure to implement basic security measures may lead to substantial penalties.

Do you handle online payments or collect personally identifiable information (PII) and financial records? Even if you simply rely on technology for everyday operations, you remain vulnerable to ransomware attacks. 

Carefully assess your business practices to identify potential vulnerabilities and implement suitable protective measures.

To assist you in this process, we offer a complimentary Cybersecurity RIA Compliance Checklist, available for download.

In a press release issued in July 2023, the SEC announced that it has adopted rules requiring registrants to disclose information about their cybersecurity risk management and governance on an annual basis. The new rules require registrants to disclose material cybersecurity incidents on Form 8-K within four business days, unless the United States Attorney General deems otherwise.

Registrants are also now required to disclose any and all processes related to cybersecurity risks in their annual Form 10-K report, including board oversight of risks and management’s role in assessing and managing them.

All registrants must provide Form 10-K, 20-F, 8-K and 6-K disclosures beginning December 15, 2023 with smaller reporting companies receiving an additional 180 days before they must begin providing the Form 8-K disclosure, and all registrants must tag disclosures in Inline XBRL one year after initial compliance.

5. Make sure your RIA is properly insured 

While insurance may not be mandatory for starting a new RIA firm, it is prudent for most RIA firms to consider two specific types:

• • Errors and Omissions Insurance:

    • We highly recommend acquiring liability insurance to protect your firm. Neglecting to obtain such coverage exposes your firm to significant business risks.

    • However, it is crucial to note that even the most comprehensive E&O insurance plan will not provide coverage for an inadequate RIA compliance program. For instance, insurance programs generally do not cover regulatory fines and sanctions. Therefore, it is imperative for your firm to establish internal compliance policies and procedures to foster a culture of compliance.

  • Cybersecurity Insurance:

    • Cyber insurance offers a vital and often underestimated service to RIA firms. Without proper cyber coverage, many small and midsize businesses are vulnerable to the severe consequences of a cyber attack.

    • When choosing cybersecurity insurance, it is important to follow the same steps as you would for any other type of insurance. Educate yourself, carefully weigh the options, and seek expert assistance if needed.

6. Understand and adhere to your fiduciary duties 

The SEC outlines two fundamental principles that govern the fiduciary duty of investment advisors: Duty of Care and Duty of Loyalty. Let’s delve deeper into each of these principles.

• • Duty of Care encompasses three key obligations:
    • Duty to Provide Advice in the Client’s Best Interest:  Investment advisors are obligated to offer advice that aligns with the best interests of their clients. This entails understanding and considering their unique financial situations, goals, and risk tolerance.
    • Duty to Seek Best Execution:  Advisors must diligently strive to execute trades on behalf of their clients in a manner that achieves the most favorable terms reasonably available under the circumstances.

    • Duty to Act and Provide Ongoing Advice and Monitoring:  Fiduciaries are responsible for continually acting in the best interests of their clients and maintaining regular communication. This includes offering advice and monitoring the progress of the client’s financial plan throughout the duration of the relationship.

• • Furthermore, fiduciaries must implement ongoing monitoring procedures to ensure that financial plans remain on track, even in the face of changing market conditions. Open and clear communication regarding risks and costs is crucial.

Adhering to the principles of the Duty of Care enables fiduciary advisors to cultivate trust, promote transparency, and strive for optimal financial outcomes on behalf of their clients.

The Duty of Loyalty is another fundamental requirement for investment advisors as outlined by the SEC:

According to the SEC, investment advisors have a primary responsibility to prioritize their clients’ best interests. This means that advisors must not favor their own interests over those of their clients, nor unfairly favor one client over another. In order to fulfill this duty, advisors are obligated to provide full and fair disclosure of all material facts pertaining to the advisory relationship.

Furthermore, maintaining transparency and fulfilling the Duty of Loyalty requires investment advisors to disclose any conflicts of interest that may arise. A conflicts of interest can occur when an advisor’s personal or financial interests have the potential to influence their advice, recommendations, or actions on behalf of a client. To adequately address conflicts of interest, advisors must provide clear and detailed disclosures to clients. These disclosures should enable clients to make informed decisions regarding their consent or rejection of such conflicts and practices.

Adhering to fiduciary responsibilities presents both opportunities and challenges for advisors. By prioritizing client interests above their own, fiduciaries can attract new prospects and build trust with existing clients. It is crucial, however, for advisors to remain vigilant and consistently uphold their fiduciary obligations.

7. Effectively Address Disciplinary Disclosures 

Firms need to pay careful attention to individuals who have disciplinary disclosures, as emphasized by the SEC. If you or any of your colleagues have such disclosures, it is crucial to consider a few key points.

Mandatory Disclosure:  It should go without saying that when it comes to disclosures, one must adhere to the SEC’s requirements. However, during their routine audits, the SEC has discovered instances where firms:

• • Failed to disclose material information related to disciplinary histories of specific supervised individuals or even the advisory firm itself.

  • Included incomplete, unclear, or misleading details regarding disciplinary events.

  • Did not promptly update and deliver disclosure documents to clients, such as updating Form ADV for new disciplinary events of supervised individuals reported on the Central Registration Depository (CRD), such as Form U5s.

Risk Mitigation is Essential:  If you or any member of your team has disciplinary disclosures, your firm’s policies and procedures should effectively address the associated risks. The SEC has identified numerous firms that have failed to do so.