Massive spike in deficiencies at smaller RIAs
SEATTLE — Deficiencies found by regulators during their examinations of state-registered RIAs jumped nearly 60% to 7,907 in the first half of the year, and agencies are signaling plans to make advisors accountable for shortcomings in cybersecurity, officials say.
While recordkeeping is the most frequently cited concern among RIAs with $100 million in assets under management or less, the new category of cybersecurity helped drive the growth in deficiencies, according to a survey released this week by the North American Securities Administrators Association.
State securities regulators examined 25 compliance areas, up from 22 in the last study by NASAA in 2015. State-registered RIAs that year showed only 4,983 deficiencies over six months. Regulators at the state level echoed SEC officials’ warnings about cybersecurity and their bulked-up exam capacity.
“Training and technology have combined to enable state examiners to conduct more examinations and better detect deficiencies,” NASAA Investment Adviser Section chairwoman Andrea Seidt said in a statement released at the group’s conference.
Chairman Jay Clayton and OCIE's director provided advisors with hints on the regulator’s methods.
The chief executive of the self-regulatory organization urges against duplicating regulatory efforts, and adds that big data will soon define how regulators operate.
In the wake of cyberattacks at Equifax and EDGAR, SEC Chairman Jay Clayton makes an unusually lengthy statement appealing for RIAs to bolster security.
IMPORTANT BOX TO CHECK
Seidt and other officials who presented the findings of the survey noted that the 698 deficiencies found in cybersecurity have not yet resulted in any sanctions against the firms. The most common black marks in the area included inadequate or nonexistent cybersecurity insurance and no testing of vulnerabilities.
The organization also unveiled a 7-page, color-coded checklist covering 89 different cybersecurity metrics for state-registered RIAs. So far, regulators have restricted their cybersecurity efforts to educating advisors rather than sanctioning them, but “at some point that’s going to change,” Seidt said.
“The examiners are going to be utilizing this checklist and walking through it when they go visit state-registered investment advisors,” said Siedt, the commissioner of Ohio’s Division of Securities. “It’s going to help them take an inventory of where they are in their cyber assets and prepare more effectively for a state exam.”
The study also disclosed the most prevalent issues involving recordkeeping, registration and contracts at smaller RIAs. A lack of suitability documentation, inconsistencies in Form ADV and aspects of fee disclosure, respectively, made up the leading types of bad practices detected in the three areas.
The report covered a sample of 1,203 exams in 37 U.S. states and territories, and NASAA members supervise more than 17,600 state-registered RIAs across the country.
NASAA collects the data on its member regulators’ exams every two years. The Dodd-Frank Act brought RIAs with between $30 million and $100 million in AUM under state regulators’ purview back in 2013.