More On Legal & Compliancefrom The Advisor's Professional Library
- Privacy Policies and Rules Whether an RIA is SEC or state-registered, the firm must have policies and procedures in effect to protect clients privacy. Policies and procedures should explicitly require an RIA to send out its privacy notice each year.
- Books and Records Rule Thorough and complete books and records enable RIAs to demonstrate that they have fulfilled their fiduciary obligations to clients and complied with applicable rules and regulations.
As I write, I find myself again sitting on a plane traveling home from somewhere on the North American continent. This weekly junket, like all others, was spent visiting clients and speaking at an industry conference. The message: “Compliance need not be burdensome or complex unless advisors make it so,” and far too many advisors still do. Why? For too many, they continue to drink the Kool-aid peddled by various (not all) form shops and consultants with little appreciation for whether the documents they receive actually reflect their operations and limit their liability and responsibility. Similarly, far too many of these documents are a boilerplate minefield for when regulators or plaintiffs’ lawyers call. No area makes this more apparent than the dreaded “policies and procedures.”
Rule 1: Read the documents! If you did, you would realize that they do not apply to your business.
Rule 2: If you find the documents do not apply to your business, you must revise them.
Rule 3: Make sure you do what you say you do in the policies document. Regulators will read your policies and will seek to confirm that you are doing what they say. Far too many manuals are “micro” in scope and content, presenting overly ambitious compliance processes that far exceed what is required, while missing important issues that regulators are now rightfully much more concerned about post-Madoff, such as having a policy or process to maintain the confidentiality of client information relative to those who have access to your offices and information, including internal staff and outside vendors; monitoring of employees’ outside business activities; initial and ongoing due diligence conducted on unaffiliated separate account managers and private fund sponsors; supervision of branch offices and personnel; and the initial and ongoing investment suitability determination.
Rule 4: Make sure that the policies document does not conflict with your Form ADV or advisory agreements. This is an all too common occurrence. If you purchase documents from “consultants,” you must take responsibility for revising them to make sure that they are consistent and don’t conflict with your other compliance-related documents. In the alternative, engage a professional who, prior to agreeing to provide any such “form” documents, will ask the question, “What about your ADV and advisory agreements? How can I provide a ‘form’ policies document (and yes, most documents start as generic templates which are then revised to reflect an advisor’s practices) if I don’t know what your business practices are as reflected on your ADV and advisory agreements?”
Rule 5: Shop for price, roll the dice. As someone who has read every canned policies manual, I can assure you that not all documents are created the same. Is your manual drafted in a way to avoid potential liability? Does it create unnecessary, burdensome tasks that are not required under any corresponding rule? Does it, as it should, clearly address the issues that the regulators are concerned about come exam time and in a manner that is not overly complicated to implement?
Rule 6: Regulations change. Thus, so must your policies and procedures manual. You must continue to update your manual to reflect regulatory changes. There has been an enormous change in the regulatory landscape post-Madoff. As a result of those changes, including Dodd-Frank, policies created six months ago or longer are now out-of-date, and those that have not been updated for years are substantially obsolete. Nothing will rightfully demonstrate a lack of compliance culture to regulators than an out-of-date or obsolete manual.
Rule 7: Make sure you follow Rules 1–6 on an ongoing and continuing basis.