9 major RIA compliance fails — and how to avoid them

Developing, implementing and maintaining a robust compliance program is the best way for an RIA to stay out of trouble with regulators — but no one said it was easy. Compliance is a complex and challenging endeavor that is essential to avoiding pitfalls that can lead to fines and harm to an RIA's reputation. 

Over my nearly three-decade career (including at some of the world's top multinational law firms), I have seen RIAs make all kinds of compliance missteps and mistakes. Here are the top nine, along with suggestions on how to remedy them. 

Making an inadequate initial risk assessment

Firms sometimes fail to conduct an adequate risk assessment prior to developing their compliance policies and procedures. Such assessments, based on the RIA's business model, organizational structure and operating infrastructure, as well as regulatory priorities of regulators, indicate how much time and effort should be devoted to specific compliance matter topics. An inadequate assessment could result in compliance policies and procedures that do not place an appropriate amount of attention on high-risk areas for the firm.  

In conducting an initial risk assessment, firms should evaluate areas including service and product offerings, fee structures, investment and trading strategies, and business arrangements with affiliated and non-affiliated entities. Surveying communications from regulators will invariably help an advisor adopt more meaningful policies and procedures to address the areas where the firm is most at risk. Recently, issues such as addressing investment suitability, conflicts of interest, cybersecurity preparedness, compliance of marketing materials and fee billing have been some of the most highly scrutinized areas in SEC examinations. 

Using generic policies and procedures

Often, firms prepare their compliance policies and procedures utilizing template compliance documents. While policy statements outlining a firm's general policy on a specific issue (such as prohibiting certain types of conduct) are important, including tailored step-by-step instructions on procedures is crucial as well. 

The failure to adopt clearly defined procedures leaves personnel with little guidance as to how they should carry out their compliance responsibilities and can ultimately result in gaps in procedures that will invariably lead to compliance violations. Before drafting compliance procedures, advisors should go through the exercise of thoroughly mapping out the steps that personnel should follow to best promote compliance and incorporate them in their compliance manuals.

Failing to simplify policies and procedures

On the flip side, overly complex procedures pose their own risks. The more procedures there are, and the more complex they are, the more likely it is that firm personnel will not follow all of them. This can lead to inadvertent violations and oversight as regulators will penalize advisors for having compliance procedures that they are not following. Firm leaders should periodically take stock of their compliance procedures to see if  steps can be removed without reducing the efficacy of the program.

Not assigning specific tasks

In addition to delineating compliance procedures, compliance manuals should clearly delineate who has responsibility for executing them. Failing to make clear who is responsible for certain functions leads to confusion, which can lead to duties falling through the cracks … which can lead to compliance violations. 

READ MORE: The SEC's early regulatory warning shot and 6 other takeaways from its 2024 exam priorities 

While the chief compliance officer has overall supervisory responsibility for a firm's compliance program, other personnel  can and should take on specific compliance responsibilities, particularly where they may have more knowledge about a topic than the CCO. For instance, a chief investment officer is better suited to identify whether an investment is suitable or if there are trading practices that do not promote a client's best interests.

Having outdated policies

An effective compliance program must be proactive as well as reactive. Once policies and procedures are in place, there can be a tendency to move on and fail to revisit them. This can be dangerous as regulations evolve more quickly than most advisors anticipate. Firms should schedule regular reviews to evaluate whether any recent business or regulatory changes warrant modifications to the policies and procedures.

Not hiring a CCO (or having a CCO with no time)

Another compliance pitfall is the failure to designate an individual or individuals who are sufficiently qualified and have enough time to administer the firm's compliance program. 

Compliance policies and procedures alone do not represent a sufficiently robust compliance program; the SEC and other regulators expect that those persons tasked with administering compliance programs have the training, experience, knowledge and time to carry out those functions. Firms that do not retain one or more individuals with the requisite experience and time in supervising compliance of an advisory firm could face sanctions, and those individuals who serve in that role could also face personal liability in certain circumstances that could lead to fines and reputational harm. This could be a particularly acute issue for advisors who have a CCO serving in multiple roles. Advisors often address this issue by retaining outside compliance consultants to shoulder some of the load of administering the firm's compliance program. 

Poor prioritization

Another common mistake firms make is failing to adequately prioritize the areas that require the most time and attention. 

In practice, this means firms are not focusing enough attention on high-risk areas, which should be identified in risk assessments. With limited time and compliance resources, advisors must first concentrate on those areas that are likely to lead to the possibility of serious compliance violations, such as practices more likely to lead to an advisor's breach of fiduciary duty owed to clients. Advisors should test such areas more often than other low-risk areas.

Missing documentation

Documenting compliance efforts can be a tedious and time-consuming task. Nonetheless, regulators, including the SEC, take the position that if there is no documentation evidencing a firm's compliance efforts — including reviews and testing — they did not occur. 

Policies and procedures manuals should require documentation of any reviews, tests or other duties performed in connection with the administration of the compliance program. Chief compliance officers and other members of management, such as chief operating officers, should routinely remind employees of the need to document their compliance efforts, as it's easy to forget — particularly if employees have numerous other responsibilities.

Failing to allocate time and resources to compliance

As noted at the outset, compliance is hard. 

Firms often underestimate the time and resources that must be devoted to ensuring that a firm remains in compliance with applicable laws, rules and regulations — particularly now given that regulators are increasingly aggressive in pursuing advisory firms for compliance failures. 

Making compliance a top priority is essential to ensure the firm's program achieves its goals and it avoids regulatory sanction. One cost-effective way to handle such complexity is to outsource all or some of these functions to legal firms that can provide support services to an advisor's compliance program, rather than an RIA maintaining such responsibilities in-house.