Answers to the most frequently asked wealth management compliance questions

RIA in a Box says there's a straightforward answer to this question. If you have $100 million or more in assets under management, you have to register your firm with the SEC. If it's anything less, then you'll most likely be going with state regulators.

Of course, though, it's not quite that simple. For firms that have to register with state regulators, the primary question is: Which state? 

If an advisor operates only in, say, Montana, Mississippi or Missouri, then it should register wherever it has its primary office. But most firms do business across state lines. If that's the case, they'll have to look up individual statues to see which regulations apply.

Many states, according to RIA in a Box, require registration for firms that have five or more clients within their borders. Texas and Louisiana make that demand for advisors with a single client in their jurisdictions. New York requires state registration for all firms with $25 million or more in assets under management.

Corey Kupfer, the founder and principal of Rye Brook, New York-based Kupfer and Associates, said most firms would prefer to be solely under the SEC if that's an option. One huge advantage to having a federal-level regulator is that it avoids the patchwork of laws advisors must deal with if they're registered in more than one state.

"I don't know an advisor who's qualified to be registered with the SEC who doesn't take that choice," Kupfer said.

RIA in a Box is just the latest compliance consultant to note advisors' apparent unease with the SEC's recent overhaul of its long-standing marketing regulations. Before the adoption of the new rules, financial planning had been one of the few industries that was prohibited from using client testimonials and endorsements by celebrities and other third parties.

Even with the recent lifting of that ban, RIA in a Box notes advisors have been slow to take advantage of the new freedom.

"Advisers have been told to avoid reviews and testimonials for so long, it's no wonder that the majority of RIAs are treading carefully when it comes to requesting them," according to RIA in a Box.

Just as small firms often have to register with states instead of the SEC, they may also come under individual state laws on advertising and solicitation. Hunter said his firm, with about $10 million in assets under management, is registered solely with Pennsylvania and that every state imposes its own marketing requirements and restrictions.

"There is a pretty big gray area in regards to what is allowed or not allowed," he said in an email.

One reason for advisors' hesitation to take advantage of client testimonials and third-party endorsements is no doubt regulators' insistence that planners have solid evidence to back up any claim they make in their marketing. RIA in the Box's latest regulatory bulletin warns of another pitfall: The need to avoid reporting only client reviews and performance data that put your firm in a good light and ignoring less-flattering results.

Such "cherry picking," as RIA in a Box deems the practice, will not be welcome to regulators.

"In essence, you can't just ask a few of your favorite clients for their feedback — it's all or none," RIA in a Box says.

To avoid cherry picking, the compliance consultant recommends that you make sure you send out emails requesting testimonials from people you've worked with to all your clients. 

RIA in a Box also recommends caution when you're trying to decide which statements can be legally included in marketing statements and which can't. The SEC's new rule sets strict limits on what advisors can say when they seek to highlight their knowledge or expertise by noting the performance of their past investment recommendations.

They're not allowed, for instance, to report results for only one time period to the exclusion of others. If they're going to brag about the performance of a given investment recommendation, they have to show how it did over three distinct periods of time: one year, five years and 10 years.

RIA in a Box isn't the only industry consultant to note the industry's struggles with the new marketing rule. In a survey of roughly 580 advisory firms conducted in May, the compliance firm ACA Group found that only 5% of the respondents reported using their newfound freedoms to rely more on testimonials by former clients and endorsements by celebrities or other third parties.

The ACA's survey suggested more and more advisors are returning to the office. Even so, remote and hybrid working arrangements remain common in the industry.

RIA in a Box said many advisors continue to seek guidance on how they and their employees can operate at a distance without running afoul of regulators or exposing clients to additional risks. The firm said the way to avoid these twin dangers is to subject remote employees to frequent and careful monitoring, particularly through the use of software systems.

Many firms, for instance, use computer programs to collect and store employees' digital communications. RIA in a Box advises using these systems for all messages regardless of if they're sent by email, social media, text or direct messaging services like WhatsApp.

"Where advisers get into trouble is when they start fielding communications from prospects and clients via their personal Facebook account or something along those lines," according to RIA in a Box. "If you are talking shop (i.e., giving financial advice of any kind), then chances are it should be archived."

Cybersecurity should be a priority for all advisors, but particularly so for those who rely heavily on technology to make remote work possible. The SEC has proposed a rule that would give advisors 48 hours to report data breaches and put in place other requirements meant to protect client information.

Even while the industry awaits adoption of that proposal, RIA in a Box recommends firms provide cybersecurity training to their employees and periodically scrutinize their data protection policies for strengths and weaknesses. The compliance consultant said firms can even run simulated cyber attacks to expose previously unnoted deficiencies.