Nov 122021

SEC Identifies Deficiencies From its Electronic Investment Advice Initiative

Ranah Esmaili, Nathan J. Greene, W. Hardy Callcott, Elizabeth Shea Fries, Laurin Blumenthal Kleiman, Victoria A. Anglin and Chuck Daly
, , ,

On November 9, 2021, the U.S. Securities and Exchange Commission (SEC) Division of Examinations (EXAMS) released a risk alert (Risk Alert) concerning deficiencies it observed in its examinations of advisers providing electronic advisory services, including advisers known as “robo-advisers.”1 Those deficiencies were in the areas of the robo-advisers’ compliance programs, portfolio management practices (including advisers’ fiduciary obligations), and marketing/performance advertising.

The Risk Alert also identified issues related to many robo-advisers’ registration with the SEC as an investment adviser, particularly firms registering on the basis of Rule 203A2(e) of the Investment Advisers Act of 1940, as amended (Advisers Act). The Risk Alert also highlights concerns with robo-advisers’ reliance on, or adherence to, Rule 3a-4 under the Investment Company Act of 1940, as amended (Company Act). Specifically, the EXAMS staff reminded robo-advisers of the need to follow applicable registration requirements, exemptions, and safe harbors, both under (1) the Advisers Act, to be properly registered with the SEC, either as an Internet adviser relying on Advisers Act Rule 203A2(e) or another applicable provision or exemption, and (2) the Company Act, to avoid having their discretionary investment program deemed an unregistered investment company.

More broadly, the EXAMS staff encouraged robo-advisers to revisit their compliance programs, disclosures, portfolio management, and marketing materials for compliance with relevant rules and regulations based on their electronic advisory services offerings. The Risk Alert serves as a reminder to advisers to disclose accurately and completely their practices, and to design compliance programs and testing to ensure that those practices are followed on an ongoing basis.

Compliance, Portfolio Management, Advertising, and Cybersecurity Observations

Significant takeaways come from EXAMS’ observations regarding how robo-advisers can address specific areas of observed deficiencies and improve firms’ compliance practices, including the following:

  • adopting written policies and procedures tailored to the adviser’s practices as a robo-adviser and implementing and following those practices
  • testing investment algorithms periodically to ensure that such algorithms are operating as expected and documenting the results of any testing
  • safeguarding algorithms to prevent unintended or unauthorized changes through the use of access restrictions or changing control protocols
  • confirming that performance advertising and marketing practices comply with the requirements of Advisers Act Rule 206(4)-1
  • reviewing the robo-adviser’s cybersecurity practices for the protection of client information

EXAMS also noted portfolio management practices that robo-advisers should revisit to confirm appropriate account oversight, including:

  • reviewing policies designed to confirm that investment advice being provided is in each client’s best interest based on the client’s investment objectives
  • confirming operational and supervisory controls for automated platforms and the proper functioning of investment algorithms, with a focus on addressing the risk of any algorithm’s producing unintended and inconsistent results (e.g., due to coding errors or unusual market conditions)
  • assessing best execution for trading of accounts on automated platforms

EXAMS’ recommendations arose from identified deficiencies where the examined advisers:

Compliance Programs

  • lacked adequate compliance programs, typically due to not having any written policies and procedures, not implementing or testing such policies or having policies and procedures that were insufficient for the applicable adviser’s operations,
  • lacked controls for disclosures, which contributed to inaccurate or incomplete disclosures concerning conflicts of interest, advisory fees, investment practices, and ownership structure
  • included hedge clauses or other exculpatory language in service agreements or disclosures that did not necessarily align with their fiduciary duty

Portfolio Management

  • lacked policies and procedures to assess whether the robo-adviser’s algorithms were performing as intended or whether asset allocation and/or rebalancing services were occurring as disclosed; and/or data aggregation services were not impairing the safety of clients’ assets as a result of the adviser’s having direct or indirect access to clients’ credentials
  • did not test the investment advice generated by their platforms to clients’ stated or platform-determined investment objectives or otherwise did not satisfy their duty of care

Marketing and Advertising

  • lacked procedures to detect inadequacies or noncompliance with marketing and performance advertising practices, resulting in advertisement-related deficiencies, including
    • having misleading or prohibited statements on their websites
    • having materially misleading performance advertisements on their websites, including hypothetical performance results of an investment model applied retroactively
    • providing inadequate or insufficient disclosure concerning “human” services

Cybersecurity Programs

  • lacked policies and procedures protecting the firm’s systems and responding to cybersecurity events
  • were not in compliance with Regulation S-ID or Regulation S-P because they
    • had “covered accounts” but lacked written policies and procedures designed to detect, prevent, and mitigate identity theft,
    • lacked or did not implement written policies and procedures addressing compliance with certain elements of Regulation S-P, and/or
    • did not deliver initial and/or annual privacy notices to all clients.

Registration Observations

EXAMS observed that nearly half the advisers claiming eligibility to register with as an investment adviser pursuant to Rule 203A2(e) were ineligible to do so, and many other advisers were not otherwise eligible for SEC registration as an investment adviser because such advisers did not have an interactive website or had advisory personnel who could provide investment advice directly to clients (in addition to the advice provided through the interactive website). EXAMS also observed that some advisers’ affiliates were operating as unregistered investment advisers because while the affiliates were operationally integrated with the respective advisers, the affiliates themselves were not eligible to register as with the SEC internet advisers.

EXAMS reminded robo-advisers that failure to satisfy all of the elements of the safe harbor from the definition of “investment company” under Rule 3a-4 of the Company Act may result in their activities being subject to the rules and requirements applicable to investment companies. Moreover, these types of registration issues can result in enforcement charges.

Specifically, the Risk Alert identified specific safe harbor-related deficiencies where such robo-advisers

  • were unaware that the discretionary investment advisory programs that the advisers sponsored may be unregistered investment companies, and some did not claim reliance on the safe harbor
  • claimed to rely on the safe harbor, but their policies and procedures were either inadequate in addressing adherence with the safe harbor or were not implemented
  • did not obtain —or did not contact clients annually to update — information from each client regarding the client’s financial situation and investment objectives necessary in order to provide the client with individualized advice, or inquire as to whether the client wished to impose any reasonable restrictions on the management of their account
  • failed to provide clients with quarterly statements with activity information
  • did not ensure clients retained the indicia of ownership because, for example, the adviser either restricted the client’s ability to withdraw cash or securities from the accounts or the adviser did not allow the client to vote proxies

1https://www.sec.gov/files/exams-eia-risk-alert.pdf

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Ranah Esmaili

Washington, D.C.

resmaili@sidley.com

Nathan J. Greene

New York

ngreene@sidley.com

W. Hardy Callcott

San Francisco

wcallcott@sidley.com

Elizabeth Shea Fries

Boston

efries@sidley.com

Laurin Blumenthal Kleiman

New York

lkleiman@sidley.com

Victoria A. Anglin

vanglin@sidley.com

Chuck Daly

New York, Boston

cdaly@sidley.com

You might also like
SEC’s Cybersecurity Disclosure Rules Are Here. Is Your Company Ready to Comply?

Companies are facing more attacks on their information systems. And, as their cyber risk skyrockets, the SEC has stepped in with new regulations, telling businesses what to disclose about these incidents — and requiring detailed disclosures on cyber risk management more broadly. With the deadline for compliance fast approaching, businesses are scrambling to mitigate their legal risk and comply with regulations that some say may be an overreach.

EU Commission Adopts New Rules for GDPR Enforcement: the Beginning of a Centralized Enforcement Model?

On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to standardize and streamline cooperation between EU Member State Data Protection Authorities (DPAs) when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The GDPR adopts a decentralized enforcement model. National EU Member State DPAs are competent to enforce the GDPR on their respective territories. However, in cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate in accordance with the GDPR’s “one-stop-shop” through cooperation and consistency mechanisms. Although these mechanisms establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action.

UK ICO Scrutinizes Use of Generative AI

Following the EU’s increased focus on generative AI with the inclusion of foundation and generative AI in the latest text of the EU AI Act (see our post here), the UK now also follows suit, with the UK’s Information Commissioner’s Office (“ICO”) communicating on 15 June 2023 its intention to “review key businesses’ use of generative AI.” The ICO warned businesses not to be “blind to AI risks” especially in a “rush to see opportunity” with generative AI. Generative AI is capable of generating content e.g., complex text, images, audio or video, etc. and is viewed as involving more risk than other AI models because of its ability to be used across different sectors (e.g., law enforcement, immigration, employment, insurance and health), and so have a greater impact across society – including in relation to vulnerable groups.