Part 2: Expert Interview with Leila Shaver

Compliance in the Internet Age: Regulators and Compliance Consultants

Part 2 of our Expert Interview with Leila Shaver, of My RIA Lawyer

This post is part of the Expert Interview series, which showcases some of the smartest thinking in the financial services industry on issues that matter most to advisors. If you would like to suggest a speaker or topic, please email your ideas to: media@folioinstitutional.com.

Leila Shaver is a securities attorney and founder of My RIA Lawyer. Leila started her career as in-house counsel for a large national brokerage firm with over 500 registered representatives based in Atlanta. She then moved on to do consulting work with hedge funds and alternative investment firms before joining a boutique firm specializing in hedge fund creation, where she managed the regulatory compliance part of the practice. Leila created My RIA Lawyer so that new and established investment advisors receive the best possible help, service, and guidance. She recently sat down with Greg Vigrass, President of Folio Institutional, to discuss what regulators are looking for, as well as what to think about when implementing your own compliance program, including the use of compliance consultants.

Vigrass: What are the state regulators and the SEC focusing on now?

Shaver: Cybersecurity is definitely a big focus. So many advisors are utilizing different technology applications and cloud-based providers to store their books and records. They retain very sensitive information like client social security numbers, addresses, and telephone numbers – identifying information that can be used to apply for a credit card or to gain access to a client’s account. It’s not just about ensuring that you have a firewall in place, or that you are using some sort of encryption when you’re sending client information. It’s also about testing your cybersecurity systems, and ensuring that you have the appropriate processes in place to respond if there is an attempted hack.

You have an obligation to perform due diligence on your cloud-based providers and technology platforms by requesting their cybersecurity policies. If you’re still using servers, make sure that you have back-ups, and back-ups to the back-ups. Some firms have 3-4 different back-ups located in different areas.

Vigrass: What are some low-hanging fruit to remain compliant?

Shaver: Maintain your books and records. Keep copies of canceled checks. For SEC registered firms, are you doing your annual compliance review? Have you read your compliance manual? Does it reflect what’s actually happening in your business? I can’t tell you how many times an advisor comes to us after being fined by a regulator and their compliance manual is a template or an unfinished document.

Regulators are trying to conduct more examinations more frequently, but they’re not necessarily working with bigger budgets and more people. So, they have to be more efficient. They want to see you doing the basics, because if you’re not, they’re going to assume that you’re not doing some of the more complex things, like a cybersecurity audit.

Vigrass: What are the steps you recommend advisors take if they are contacted about an audit?

Shaver: In most advisory firms, the CEO or the owner is also the CCO. If they have no idea when they last reviewed their compliance manual, they should review it. They will probably need to call a lawyer to deal with any questions or documentation they don’t have. An advisor with a healthy compliance culture doesn’t necessarily have to have an attorney come in at the beginning, but it’s good to have one on call. Most regulators prefer that the advisory firm have an attorney available because most attorneys who specialize in this area of law have been through examinations and know what to expect; they can actually help streamline the process and make it more efficient. If an issue comes up, an attorney can step in and try to mitigate any issues or push back on the regulator. Those communications are subject to attorney-client privilege, so you can just have a very frank conversation with your attorney and they can ensure that any issues are mitigated to the best of their ability. Ultimately, you want to avoid a regulator documenting deficiencies, and the faster you can nip potential deficiencies in the bud on the front end, the better.

Vigrass: What are the pros and cons of doing compliance yourself, and at what point does outsourcing make sense?

Shaver: It’s one thing if you start your own RIA with $100 million in assets under management. In that case, you could outsource compliance. That’s not going to be practical for other RIAs. There are non-law compliance providers out there, but they generally have high volume and use templates to keep costs low. So, it’s not customized.

Either educate yourself and find out what your compliance responsibilities are or hire a compliance consultant as soon as it’s practical for your business. But keep in mind that it’s not a guarantee against a future issue. We’ve had clients who have used compliance consultants and gone through a routine examination, but still have a bunch of deficiencies cited and end up paying a hefty fine. Compliance takes time. It requires your time every week, and as your business grows, so does the amount of time you have to spend on compliance, doing ad hoc testing, ensuring your books and records are up to date, etc. Your compliance responsibilities are the same whether you have $1 million in AUM, $100 million in AUM, or $1 billion in AUM. If you’re going to utilize one of those providers, make sure you’re doing the work and customizing the compliance template for your firm.

Vigrass: So how would you guide advisors on how they should evaluate a provider?

Shaver: Learn more about the compliance consultant’s background and what your responsibilities are as an advisor. Ask about their templates, if they’ve had any regulator issues, and if any of their clients have faced any fines or deficiencies or their licenses have been suspended. Understand the scope of their services and how they work. Look at online reviews and talk to other advisors to see who they’re using. Really, truly vet the provider.