© 2020 Arizent. All rights reserved.

The SEC's white-hot audit streak shows sign of cooling

Register now

The SEC has been on a white-hot examination streak, upping its number of audits by a remarkable 137% over the last six years, but a combination of factors seem primed to slow the commission’s roll through 2019 and beyond.

Despite all the talk of deregulation and the rolling back of the Department of Labor’s fiduciary rule, the SEC’s Office of Compliance Inspections and Examinations audited 2,312 firms — approximately 17% of all SEC-registered investment advisory firms — according to the SEC's recently released 2018 fiscal year annual report.

While that may appear a relatively low figure, it's a significant increase from 2012 when the audit rate was only 8%. From 2012 to 2018, the total number of federally registered investment advisors grew 13% while the number of audits more than doubled from 974 to 2,312 during the same time period.

Still, as I previously wrote, the number of SEC-registered firms appears primed for strong and continued growth. Given this headwind, the SEC is projecting a slightly reduced examination rate for the 2019 fiscal year. Adding to this: the 34-day partial government shutdown, which ended in January, put a stop to all RIA exams during that time. That will also likely make it difficult for the SEC to up its total audit volume in 2019.

In a positive for the RIA industry, even as the volume of audits has increased over time, the percentage of firms with compliance issues has been trending lower. The percentage of audits resulting in one or more deficiencies has remained relatively steady or has decreased in recent years. In 2018, for example, 69% of all SEC audits resulted in a deficiency. In both 2016 and 2017, 72% of audits resulted in a deficiency. Compare that to 2011 when 82% of audits led to a deficiency. Similarly, 20% of audits conducted in 2018 resulted in a significant finding, compared to 42% during the 2011 fiscal year.

There has yet to be a meaningful uptick in the number of RIA enforcement actions — but that could soon change. While the percentage of examinations referred to the SEC Enforcement Division declined from its peak of 13% in 2013 to 6% in 2018, on a volume basis the number of firms referred to enforcement is increasing over time. With 964 examinations performed in 2013, a 13% enforcement referral rate equates to approximately 125 firms. On the other hand, with 2,312 examinations conducted in 2018, a 6% enforcement referral rate equals approximately 139 firms.

It’s possible this increased enforcement trend could accelerate as the SEC zeroes in on cybersecurity issues.

This observation is confirmed by the recently released SEC Division of Enforcement 2018 fiscal year report. While headcount for the Enforcement Division is down nearly 10% compared to the 2016 fiscal year, the department's productivity and efficiency have continued to improve. As a result, in 2018 there were 108 standalone enforcement actions pursued against investment advisors or investment companies, representing a 31.7% annual increase, compared to the 82 standalone enforcement actions filed in the 2017.

Historically, there haven’t been a lot of such actions related to investment advisors. But here’s the wild card: It’s possible this increased enforcement trend could accelerate as the SEC zeroes in on cybersecurity issues. Last year, the SEC took its first action charging violations of Regulation S-ID. This regulation, known as the Identity Theft Red Flags Rule, is designed to protect clients from the risk of identity theft.

In its annual report, the SEC Enforcement Division noted it has more than 225 ongoing cyber-related investigations. While that figure includes all types of regulated entities under the SEC’s purview, it seems highly unlikely that there will not be more forthcoming cybersecurity-related actions against investment advisors in 2019 and beyond. Considering the plethora of regular guidance and risk alerts SEC staff has issued in recent years, it’s safe to say that gone are the days when a firm can plead ignorance as a defense when it comes to cybersecurity.

For reprint and licensing requests for this article, click here.