NASAA exams unearth fewer violations but still failures with registration and recordkeeping

September 12, 2023 5:52 PM

Topping a state regulators group's list of the common violations for investment advisors were failures to fill out registration forms properly and maintain accurate books and records.

But in general, firms have become much better at staying in compliance, according to the latest results from the North American Securities Administrators Association's every-other-year reviews.

NASAA, which represents state and provincial regulators in the U.S., Canada and Mexico, noted a steep drop in violations among the 683 firms it examined between Jan. 1 and July 31. Of all the exams, the proportion that noted one violation related to official state registrations, for instance, fell to 23% from just over 44% two years before. The comparable figure for books and recordkeeping failures fell to roughly 17% from just over 41%.

Jason Vinsonhaler, the director of regulatory research and content at the compliance consultant Comply, was pleasantly surprised to see a decrease.

"It takes a very intentional effort to run a complaint firm," he said. "And as we can see here, it's working."

Alisa Goldberg, the chair of NASAA's investment adviser operations project group and director of the Florida Division of Securities, noted that this was not the first round of examinations for most of the firms reviewed this year.

"And because we've seen them before, we would expect them to be in compliance," she said.

The exam revelations were released on the third day of NASAA's Annual Fall Meeting, taking place this year in San Diego. Scroll down for more of the results.

Registration frustration

Compliance consultants have previously listed queries about registration among the questions they most commonly hear from clients. In general, firms with $100 million or more in assets under management have to be registered with the Securities and Exchange Commission, whereas those with less must turn to the states.

NASAA results suggest firms continue to struggle with registration questions above all others. Even though the percentage of investment advisors with registration failures fell from 2021 to 2023, 430 of these violations were still unearthed.

Many of the specific violations noted by regulators had to do with incorrect information being added to the Form ADVs registration forms that firms must fill out every year. State watchdogs, for instance, called advisors out for listing inaccurate information about their fee structures and business descriptions.

Visonhaler said some of the questions posed to forms when they're filling out their Form ADVs can be unclear or difficult to interpret. Fortunately, the penalty for mistakenly checking the wrong box on the document, he said, is usually light.

"If it's just an oversight or something of that nature, then it's many times handled with a letter where it's basically asking you to create the policies and procedures to make sure you don't make that same mistake again," Visonhaler said. "Of course, it can range up from there if it appears something nefarious or egregious has taken place, and it can take on more stern penalties."

On the books

Although books and records violations were also down over the past two years, there were still 323 of them. A release from NASAA says many of these deficiencies came from advisors' failures to make sure they're helping clients find investments that are suited to their needs and circumstances.

Jaqi Hummel, the director of thought leadership for regulatory compliance at the consultant ACA Group, said most firms do pretty well at maintaining investor profiles that can be used to gauge clients' investing goals by taking into account factors like their savings and desired age of retirement. Where they are likely falling down is keeping documentation showing why a particular mutual fund or other product's fees and performance prospects made them suitable investments.

"If you don't have a consistent system for keeping track of that and being able to find it when you need it, regulators are not going to give you a pass anymore," Hummel said.

Some firms were also found to have flaws in documents like their financial statements and ledgers. Others presented incorrect information in bills and statements.

Under the separate category of advertising violations, NASAA found that 10 firms had misleading statements or omissions about their qualifications, fees and services in their marketing materials. And in the category of fee violations, regulators found that 40 investment advisors were charging fees that weren't in line with the amounts listed in their contracts or Form ADVs.

Keeping an eye out

The third most common type of violation had to do with supervision and compliance violations. NASAA found roughly 309 failures of this sort.

Of those, roughly 35 arose from a lack of policies meant to protect vulnerable clients and just over 25 were for not keeping those policies up to date. Twenty-five violations also arose from firms not having performed reviews and maintenance of their supervisory and compliance procedures.

Cybersecurity and data privacy

Although cybersecurity deficiencies did not rank near the top of NASAA's listing this year, concerns that firms aren't doing enough to protect investors' data have prompted a slew of new regulatory proposals in recent years. The SEC has proposed rules that would give both investment advisors and broker-dealers 48 hours to provide regulators with detailed reports on cybersecurity breaches.

Michael Cocanower, the CEO and founder of Adviser Cyber, a compliance consultant that helps firms with cybersecurity, predicted more investment advisors will turn to third-party experts for assistance with data protection.

"As these SEC rules finalize, my biggest worry is internal IT teams getting bogged down with the burden of these regulations," he said in an email. "Cybersecurity is very different from the typical IT skillset, yet many organizations put them in the same category."

Resistance to the proposals has been heavy within the industry. NASAA's figures suggest firms still have some work to do if they wish to resolve some of the concerns without additional government intervention.

State regulators found more than 25 violations that arose from firms having no written policies on information security and nearly 10 for not having plans on how to contact the authorities in case of breaches or other emergencies. They also found more than 20 violations from firms not being able to furnish evidence that they had sent their private policies to clients.

As for cybersecurity, the top violation was related to having weak or infrequently changed passwords. Still, cybersecurity failures went from being found at roughly 5% of all firms in the 2021 reviews to just over 1% in 2023.

By the numbers

Of the 683 firms NASAA examined in the first half of the year, 232 were undergoing review for the first time. Nearly three-quarters of the investment advisories under scrutiny consisted of a single registered representative. One-fifth had two representatives and only 8% had three or more.

The largest proportion of firms, 125 of the total, had $5 million or less under management. Fifty-seven had between $5 million and $10 million, and 80 had between $10 million and $20 million. On the other end of the scale, only 12 had between $90 and $100 million.

Hummel said she thinks the falling number of violations is a sign that firms are not only taking compliance seriously but also recognizing that they may need outside help from time to time.

"This isn't necessarily a business you need a lot of certifications or licensing to get into," she said. "But once you go in, you find it's highly regulated, and you really do need some assistance. I think that message is getting out to some of these smaller and startup firms."