Nov 122021

SEC Identifies Deficiencies From its Electronic Investment Advice Initiative

W. Hardy Callcott, Elizabeth Shea Fries, Laurin Blumenthal Kleiman, Victoria A. Anglin, Chuck Daly, Ranah Esmaili and Nathan J. Greene
, , ,

On November 9, 2021, the U.S. Securities and Exchange Commission (SEC) Division of Examinations (EXAMS) released a risk alert (Risk Alert) concerning deficiencies it observed in its examinations of advisers providing electronic advisory services, including advisers known as “robo-advisers.”1 Those deficiencies were in the areas of the robo-advisers’ compliance programs, portfolio management practices (including advisers’ fiduciary obligations), and marketing/performance advertising.

The Risk Alert also identified issues related to many robo-advisers’ registration with the SEC as an investment adviser, particularly firms registering on the basis of Rule 203A2(e) of the Investment Advisers Act of 1940, as amended (Advisers Act). The Risk Alert also highlights concerns with robo-advisers’ reliance on, or adherence to, Rule 3a-4 under the Investment Company Act of 1940, as amended (Company Act). Specifically, the EXAMS staff reminded robo-advisers of the need to follow applicable registration requirements, exemptions, and safe harbors, both under (1) the Advisers Act, to be properly registered with the SEC, either as an Internet adviser relying on Advisers Act Rule 203A2(e) or another applicable provision or exemption, and (2) the Company Act, to avoid having their discretionary investment program deemed an unregistered investment company.

More broadly, the EXAMS staff encouraged robo-advisers to revisit their compliance programs, disclosures, portfolio management, and marketing materials for compliance with relevant rules and regulations based on their electronic advisory services offerings. The Risk Alert serves as a reminder to advisers to disclose accurately and completely their practices, and to design compliance programs and testing to ensure that those practices are followed on an ongoing basis.

Compliance, Portfolio Management, Advertising, and Cybersecurity Observations

Significant takeaways come from EXAMS’ observations regarding how robo-advisers can address specific areas of observed deficiencies and improve firms’ compliance practices, including the following:

  • adopting written policies and procedures tailored to the adviser’s practices as a robo-adviser and implementing and following those practices
  • testing investment algorithms periodically to ensure that such algorithms are operating as expected and documenting the results of any testing
  • safeguarding algorithms to prevent unintended or unauthorized changes through the use of access restrictions or changing control protocols
  • confirming that performance advertising and marketing practices comply with the requirements of Advisers Act Rule 206(4)-1
  • reviewing the robo-adviser’s cybersecurity practices for the protection of client information

EXAMS also noted portfolio management practices that robo-advisers should revisit to confirm appropriate account oversight, including:

  • reviewing policies designed to confirm that investment advice being provided is in each client’s best interest based on the client’s investment objectives
  • confirming operational and supervisory controls for automated platforms and the proper functioning of investment algorithms, with a focus on addressing the risk of any algorithm’s producing unintended and inconsistent results (e.g., due to coding errors or unusual market conditions)
  • assessing best execution for trading of accounts on automated platforms

EXAMS’ recommendations arose from identified deficiencies where the examined advisers:

Compliance Programs

  • lacked adequate compliance programs, typically due to not having any written policies and procedures, not implementing or testing such policies or having policies and procedures that were insufficient for the applicable adviser’s operations,
  • lacked controls for disclosures, which contributed to inaccurate or incomplete disclosures concerning conflicts of interest, advisory fees, investment practices, and ownership structure
  • included hedge clauses or other exculpatory language in service agreements or disclosures that did not necessarily align with their fiduciary duty

Portfolio Management

  • lacked policies and procedures to assess whether the robo-adviser’s algorithms were performing as intended or whether asset allocation and/or rebalancing services were occurring as disclosed; and/or data aggregation services were not impairing the safety of clients’ assets as a result of the adviser’s having direct or indirect access to clients’ credentials
  • did not test the investment advice generated by their platforms to clients’ stated or platform-determined investment objectives or otherwise did not satisfy their duty of care

Marketing and Advertising

  • lacked procedures to detect inadequacies or noncompliance with marketing and performance advertising practices, resulting in advertisement-related deficiencies, including
    • having misleading or prohibited statements on their websites
    • having materially misleading performance advertisements on their websites, including hypothetical performance results of an investment model applied retroactively
    • providing inadequate or insufficient disclosure concerning “human” services

Cybersecurity Programs

  • lacked policies and procedures protecting the firm’s systems and responding to cybersecurity events
  • were not in compliance with Regulation S-ID or Regulation S-P because they
    • had “covered accounts” but lacked written policies and procedures designed to detect, prevent, and mitigate identity theft,
    • lacked or did not implement written policies and procedures addressing compliance with certain elements of Regulation S-P, and/or
    • did not deliver initial and/or annual privacy notices to all clients.

Registration Observations

EXAMS observed that nearly half the advisers claiming eligibility to register with as an investment adviser pursuant to Rule 203A2(e) were ineligible to do so, and many other advisers were not otherwise eligible for SEC registration as an investment adviser because such advisers did not have an interactive website or had advisory personnel who could provide investment advice directly to clients (in addition to the advice provided through the interactive website). EXAMS also observed that some advisers’ affiliates were operating as unregistered investment advisers because while the affiliates were operationally integrated with the respective advisers, the affiliates themselves were not eligible to register as with the SEC internet advisers.

EXAMS reminded robo-advisers that failure to satisfy all of the elements of the safe harbor from the definition of “investment company” under Rule 3a-4 of the Company Act may result in their activities being subject to the rules and requirements applicable to investment companies. Moreover, these types of registration issues can result in enforcement charges.

Specifically, the Risk Alert identified specific safe harbor-related deficiencies where such robo-advisers

  • were unaware that the discretionary investment advisory programs that the advisers sponsored may be unregistered investment companies, and some did not claim reliance on the safe harbor
  • claimed to rely on the safe harbor, but their policies and procedures were either inadequate in addressing adherence with the safe harbor or were not implemented
  • did not obtain —or did not contact clients annually to update — information from each client regarding the client’s financial situation and investment objectives necessary in order to provide the client with individualized advice, or inquire as to whether the client wished to impose any reasonable restrictions on the management of their account
  • failed to provide clients with quarterly statements with activity information
  • did not ensure clients retained the indicia of ownership because, for example, the adviser either restricted the client’s ability to withdraw cash or securities from the accounts or the adviser did not allow the client to vote proxies

1https://www.sec.gov/files/exams-eia-risk-alert.pdf

W. Hardy Callcott

San Francisco

wcallcott@sidley.com

Elizabeth Shea Fries

Boston

efries@sidley.com

Laurin Blumenthal Kleiman

New York

lkleiman@sidley.com

Victoria A. Anglin

vanglin@sidley.com

Chuck Daly

New York, Boston

cdaly@sidley.com

Ranah Esmaili

Washington, D.C.

resmaili@sidley.com

Nathan J. Greene

New York

ngreene@sidley.com

You might also like
Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.

U.S. Securities and Exchange Commission Proposes Three Rules Related to Cybersecurity, Reopens Comment for One Rule

On March 15, 2023, the U.S. Securities and Exchange Commission (SEC) proposed three rules related to cybersecurity and the protection of consumer information and reopened the comment period for a proposed cybersecurity rule for investment advisers and funds. This significant action would impose new cybersecurity requirements for several SEC-registered entities, including with respect to these entities’ policies, incident response and notification procedures, and cybersecurity risk management. This Sidley commentary and analysis discusses the key features of each proposal, including new requirements and differences among each of the proposals.