From recent changes like the SEC marketing rule to pending proposals like the agency's new rule on cybersecurity, keeping track of how regulators are changing the daily lives of advisors is no easy task. And the effort comes with unique challenges for both large firms and small practices. This session will provide a breakdown of all the new rules that have gone into effect since last INVEST, and discuss how technology is helping wealth managers of all sizes rise to the occasion.
Transcript :
Brian Wallheimer (00:07):
Good afternoon. Thank you for joining us for a discussion on new SEC rules and how firms of all sizes can meet compliance challenges posed by those rules. I'm Brian Heimer, Editor-in-Chief of Financial Planning Magazine, and I'll be moderating the conversation today. Joining me is John Cataldo. John is President Advisory Services and Chief Legal Officer of Integrated Wealth Concepts and a partner at D'ambrosio, LLP in Boston. Get that right, John? All right. And John Carr. John is an attorney at Butterfield where he represents financial services professionals and regulatory investigations, enforcement actions, arbitrations in court cases in Oregon and Washington.
John Cataldo (00:46):
Well around the country there.
Brian Wallheimer (00:47):
Around the country and around the country. Great, So going to get started here, we talked a little bit about the marketing rule. It came up in our pre-conversations as kind of one of the most dominant things going on today is that what advisors should be on the lookout for in terms of SEC enforcement in the coming year.
John Cataldo (01:10):
Yeah, I'll take that. Yeah. Marketing rule, it's all about the marketing rule. They literally, today they put out, or yesterday they put out guidance SEC on it. But I can tell you we have like seven active examinations right now for SEC clients around the country. And even on the new registrant exam, if people that have just been registered for a year and a half, two years or less, they're asking about the marketing rule. And then if you're, it's a regular course exam. It's a page and a half at least of requests, almost two pages of requests specific to the new marketing rule. Not only have you adopted it, but how are you using it? Do you have the disclosures in place? Do you have the agreements in place? And then things about the performance, how you're using performance. So it's very detailed. They're focused on it. And John, the John C right here. I know, right? Exactly. So John other, John C actually haven't had a time to review the piece from the SEC, but he had a synopsis and maybe he can talk about it, but I can tell you they're focusing on it and the compliant, you should have had it in place policies and procedures and all that by November of last year. And it just take a step back, they hadn't updated the marketing rule in 60 years. Right. So micro fish was cutting edge back then, so, and they did away with all these no action letters that we get provided guidance to advisors, how to use performance, how to do this, all that. And then the other thing they did, they took away the solicitation rule, which came into effect real recently, back in 1979, and they put 'em all together. And overall, I think it's a pretty solid rule overall. It put to rest on the doubt, the application, these no action letters allows testimonies and testimonials I should say, which were forbidden before and endorsements and all that. And it's overall very good rule. It's a little, I think the hardest part our clients are seeing because they're the couple billion to 300 million range of our clients around the country, generally speaking, is the net of fees where they use hypothetical piece that is the hardest part for them for my base. But anyway, those are some of the highlights here. But there, if John, you want to jump in and see how you guys are up there.
John Carr (03:35):
Yeah, absolutely. So I mean, there are so many different rules that we can talk about in this session, but I think the marketing rule is the logical place to start. And the SEC did help us a little bit by issuing a risk alert, and in short, that risk alert discusses what the SEC is finding in some of its initial exams, but importantly, providing a roadmap for what they expect firms to be doing and what they're going to be looking for in those exams. And they are highlighting, do you have agreements in place? Do you have paid promoters? Do you have unpaid promoters? How are you ensuring that the folks that are promoters under the program are not bad actors, which are disqualified from serving as paid or unpaid promoters? How do you ensure that proper disclosures are provided, that you identify what a material conflict of interest is? Then you get into all of the hypothetical performance reporting and so on and so forth, and do you have proper policies in place to ensure that hypothetical performance is articulated properly, calculated properly, and expressed effectively to clients? So we've seen this roadmap from the SEC before. Reg BI is a perfect example of that, where rule becomes effective. They issue guidance to firms telling them, this is what we think you should do. Then they issue a risk alert saying, we're going to come and look at it. And then they issue exams where they go ahead and they look at it. So there is a body that we can look to and see how they're interpreting this current iteration of the SEC isn't is dispensing with their enforcement and regulatory surveillance obligations and duties. And the marketing rule is 150% where they're going to be looking most keenly at it because it is a rule that was materially changed. It's an area that is near and dear to them when we're talking about communicating with clients. So it's an area that's going to be of significant focus. Significant focus.
Brian Wallheimer (05:32):
Yeah. We talked a little bit about this being the enforcement actions here being very similar to what's been happening with client communications. Yeah. Can you talk a little bit about that? What has happened there and what are some of the parallels we might see, we might see with this role?
John Carr (05:48):
Sure. Oh, you want to go?
John Cataldo (05:50):
The rule is basically client communication is just a refresher of anything to do with investment information. Just think of, I tell my clients any client communication. So you try to decipher it or filter it has to be kept and maintained for in a safe cybersecurity. You talked about the last panel safe place for, well, we say six years. It used to be five years, but six years with some rules that came into effect not too many years back. But that's the piece here. And you have to have that ready to deliver usually within an exam period for a two year period back from when they request it. But that's the key. But go ahead, John.
John Carr (06:31):
Specific. Yeah, so whether it's client communication or just electronic communication in general, we saw over the summer the SEC's cases against some of the large investment banks. Then they've extended that and we know that they have reached out to large RIAs and broker dealers in the independent space with inquiry letters and exam letters. And their review there is basically we've got these rules in place, guys that require you to retain communications and to surveil communications to ensure that they are meeting content standards and there's no red flags. And they've been sanctioning firms and investigating firms, even though they had a policy in place that required the use of specific means to communicate electronically internally and with clients. They had systems in place for people to use. They had acknowledgements in place for their internal personnel where they acknowledged, I'm aware of your policies, I adhere to your policies, and I use only those systems. They had training in place, and they could even exhibit that people communicated through those means. But what they did was, unfortunately, John Carr and I have known each other for 20 years. He's my client, he's also my best friend, or we've been working together as colleagues for 20 years, and I can't help, but it's a Sunday afternoon again, because now we live in a 24 hour work cycle with the capability to access things instantly. So it pops into your brain. There's no more, I got to remember to talk to John Carr about that on Monday morning. I can just do it right now. And if I inadvertently, because John's phone number is in my phone, because we talk all the time on the phone, which is okay, but I forgot to use my rep chat, an approved electronic communication medium for my company. I forgot to use that. And I just beep text John Carr, right? Hey, John, we need to talk about the financial planning deal on Monday morning. I'm having some concerns about our ability to get the parties together on this. That's a work related communication. Does it have anything substantive in it? No, it doesn't immaterial, but it's a business related communication. And that inadvertent misstep on my part, I didn't do that on purpose, but that inadvertent misstep is where the SEC came in and they said, despite the fact you had policies, despite the fact you had systems, despite the fact you had acknowledgements, you could demonstrate you trained people. People still did it once in a while, and you didn't catch it. And you didn't stop. So I know that was a long story to get there, but I think that highlights the risk, and I see in the risk with the marketing rule is it is detailed. There are expectations, and you need to carefully go through all of the elements of it. Ask yourself, how are these elements being used in my organization? Are we engaging in hypothetical performance? Are we using paid promoters? Are we using unpaid promoters? Start there. Right? Then from there you go, now are we meeting all the expectations? Are we assessing material conflicts of interest? Are we getting contracts from people that are compensated? Are we providing adequate training and demonstrating that they understand what they can and can't do if they're unpaid? Do we understand what compensated versus non compensated means cash compensation versus non-cash compensation, including borrowing my house, my house down the shore for the weekend for a great client, Hey, could you do this for me and just use my house down the shore compensation. So educating people, making sure that you can defend, we got this, we understand what the rule says. We understand what our policies and our obligations are, and here's how we are making sure we dispense with it. If you do that well on your way towards weathering those SEC requests when they come in the door.
Brian Wallheimer (10:34):
Well, let me ask this though, because when you talk about the client communication rule, it's probably far more difficult to just to know that someone texted someone, right? I mean, there has to be an awful lot of surveillance there and checking and those sort of things. It seems like it would be harder for someone to get a paid testimonial from someone without there being some knowledge of it. But how does that slip through the cracks? How does a firm make sure that they know that some advisor on their team isn't doing something Yeah. Untoward there?
John Cataldo (11:05):
You mean on the testimonial side?
Brian Wallheimer (11:09):
On the marketing side?
John Cataldo (11:10):
Well, the test, yeah. Well, you can say you're more on the floor, on the ground, so to speak. I'm oftentimes telling them to do it, and then after the fact when they haven't done it defending them.
Brian Wallheimer (11:23):
All over the country.
John Carr (11:24):
So I, think it starts with that education component. So individual advisors, for those of us that have retail advisory shops, whether they're W twos, whether they're independent contractors, none of that funnels through them. It funnels through a firm program. So it's controlled at the firm level. Why? Because first of all, you're the ones paying them. They shouldn't be getting paid by the financial advisor directly. That's another whole issue, which I'll talk about in a second. But you know, have to have a contract in place you to have a means for collecting information about material, conflicts of interest, making sure that under the rule that the proper disclosures of whether the person is or isn't a client, whether they're compensated or not, material elements of that compensation and any material conflicts of interest, that's all being distributed to that recipient of the paid promotion. So paid promoters is one that I think is easier for firms to demonstrate compliance with. Now, the one element that they can't is that example of somebody's paying on the side or letting them use the house, which technically is compensation. It was nice under the old rule, though shalt not provide non-cash compensation. That was the old rule. It had to be cash. Now it can be cash, which opens it up, but either way, that's the education piece. Your individual advisors, the folks that are the recipients of those referred parties doesn't go through them guys. They need to understand that right now, unpaid promoters, that's the one where it's a little more risky in my mind because that's very easy for an advisor to say to their friend, Hey Tony, you've been my buddy for a long time. I'm going to be having this. I'm going to be doing a marketing campaign, and I would love to be able to put a little quote from you. Or I'm revamping my website and I would love something from you. How does a firm monitor that? Well, that all those communications need to come through you, right? Marketing material has to be reviewed, needs to be anyways, because of the content standards. Events need to be reported to you so that you're aware of, Hey, John's going to have this event, so what's going to be the format of it? Also, interestingly enough, the rule doesn't apply to extemporaneous verbal communications, right? Because it says an advertising can include an endorsement of testimonial, provided you meet all these things. Well, the definition of advertisement in the rule excludes extemporaneous verbal communications. So if it's a conversation, yeah, you're good to go.
John Cataldo (13:55):
Yeah, no, I also think for the medium sized firms, I mean, it's been drilled into their head that testimonials were forbidden forever. So the fact that it's opened up and hopefully the firms are rolling out with their compliance consultants and counsel and all that, and their CCO, this is what the new rule means. This is how we're going to implement it. If we're going to utilize promoters, either endorsements, third parties, what have you, testimonials, this is the process just like John lined out. Sure. So yeah.
Brian Wallheimer (14:26):
So John Carr, I won't say John C, you said a second ago that John on the other end here, he's getting working on the front end. You're tending to have to defend people on the back end. Is there any one thing or two things, or are there any big things that stand out where you say, this is where people are getting it wrong, or this is one thing that if half of my clients had done this instead, They might not be in this situation.
John Cataldo (14:51):
On the marketing rule, I mean lot. The first line of defense is disclosure. Is there a disclosure item or piece in your ADV document? That's a huge thing. I mean, if you have that as a defense that's huge. And then you backfill it with the agreement if an agreement needs to be in place as over the a thousand dollars piece and all that. But that the piece is disclosure. The biggest enforcement action defenses we've done are clients that either didn't tell us or weren't, they weren't clients of ours before. And this is just not just marketing rule. It was a fee sharing with Fidelity is a, it's a large firm, and they had a deal with Fidelity that gave them a better deal because they had so many assets with them. And so the disclosure type of situation is the big biggest piece there. If you're doing it, you're not disclosing it or a DV not going to be. That's the first piece right there. The second piece is everything else that John was laying out, out as far as the rule, and normally in the marketing rule, they're just rolling it out. They're just provided more guidance. They will usually get one bite of the apple, so to speak, usually, and not notwithstanding what happened, what you're talking about with the text and all that, with those, frankly, some larger firms.
John Carr (16:15):
Well, and to be fair, they did issue guidance and warnings beforehand for years that, hey, you need to be making sure you're doing this right. So I mean, they didn't do it in a vacuum, but you know, could argue whether it would do a little draconian and how they apply.
John Cataldo (16:28):
Exactly. But I would anticipate it that it would be a deficiency. Notice after the exam, they give you a or issue a deficiency letter. They say 90 some percent. I say it's 99.9% of the time. The SEC staff issues an A deficiency letter. Then you have usually 30 days to respond, and then as long as you're taking care of it, at least at that point, and then 3, 5, 6 years, whenever they come out, again, you, you've have taken care of it. You're still doing it. You're going to be in good shape. It's the recidivism or the being blatant about it. Those are the main things I would see would kick it over to the enforcement where all the lawyers are, where the fines are, where the timeouts from being an advisor or a firm all reside.
John Carr (17:12):
So yeah, it depends where the genesis of the inquiry is coming from as well. Right. I mean, the SEC has elements that the incorporate into routine exams. That's going to result in probably 99% of the time findings, letters and letters of caution. Then you've got the sweeps that are same logic, we're collecting this information, we're trying to determine. But then you've got the ones where they've already already know that they've got people, even if it's not for cause because they think your firm has done something specific, but it's an issue that they want that for political reasons or policy reasons. They want to make a statement. And I think I would submit that's probably where they ended up with the electronic communications and maybe with some of the Reg BI stuff that they're going after that it just depends on the nature, like the genesis of the inquiry itself.
John Cataldo (18:01):
Yeah, that's fair.
Brian Wallheimer (18:03):
So we spent a lot of time in the marketing role. That can't be the only one.
John Carr (18:08):
But wait, there's more.
John Cataldo (18:09):
Yeah, that's right. They've been busy. You have cybersecurity, a proposal for that. You have the service provider proposal, that just was another one. And then the custody rule, those are big three. Am I forgetting a couple?
John Carr (18:23):
No, you've got it.
John Cataldo (18:23):
I think that's more than enough. And so they're all proposed rules right now that I think the custody rule, excuse me, the cyber rule, they opened the comment period again, right? Yep. And is that closed or open still?
John Carr (18:37):
I don't recall if it's open or closed right now, but they did reopen it and mean, we discussed this in the last panel session, which was cybersecurity specific. But in March, on March 20, in March of this year, they came out with their rule proposal, which applies not to RIAs directly, but to broker dealers and other market participants. It requires essentially that you have policies and procedures that are reasonably designed to the size and scope of your operation that you conduct an annual review and assessment of your policies and procedures, and you provide certain information publicly. And I say it doesn't apply to RIAs because it doesn't in the rule itself, but the same spirit applies to RIAs. So just if you're in the industry, just do it. And I think that something is going to happen here. And this is an area where I think the SEC is being responsive and mirroring what best practices in the industry are. Meaning that, I mean, cybersecurity is an area that every entity understands and is involved in and knows that they've got requirements or protection that need to be put in place, how deep they know about what their requirements are. That's where it varies from firm to firm. And that's where the risk lies. Firms of any size, large or small, there's that element of reasonably designed, right, scaled to your operation, but beware the pitfall that there are certain threshold issues, firewalls, endpoint protection, things like that, requiring that data be housed in the cloud or at a firm server, not locally on servers that everyone is going to need to adhere to. They should today and they will if this rule is passed. So you need to understand how that impacts your organization.
John Cataldo (20:25):
And then as far as in the field, they ask about what do you have in place? What, do you have any policies, procedures, what's some, what's at least a basic outline of what you're doing to protect against cyber threats? And then they ask also, the last number of these exams, they've all, they also ask, has there been an incident or incidents? And then they want to have a, what was the writeup? How did you guys handle it? What did you do to mitigate that? Hopefully it won't happen again or lessen the likelihood of it happening again. So it is something that they're asking for and wanting to see, make sure that the advisors are taking care of it and are on top of it.
John Carr (21:04):
And that's actually something that's come up in best interest. And a lot of the best interest exams, some of the questions are, did you identify any breaches of the best interest obligation? And what did you do to respond to that? And some firms, many firms are saying, no, we didn't identify any. So then the next question is, well, what did you do to look for them? So make sure that you are aware that not just, I have this obligation, but I'm testing to make sure that I'm meeting that obligation.
Brian Wallheimer (21:33):
I want to remind everybody we're open for questions at any point. If anyone wants to raise a hand, happy to have that. But I also want to ask, you mentioned the custody rule. Yes. I know that's another big one and we probably won't be able to get too far past that, but talk a little bit about that. And I know there's some concerns, especially with smaller firms on that one.
John Cataldo (21:52):
Well, all firms, in some ways it's kind of a problem in search of a solution or no, or vice versa, however you say it. The big piece for most advisory firms, especially in my lane of a couple billion to couple hundred million, some of the requirements that are in the proposed rule, again, just proposed to get verifications and contractual provisions with negotiated with the advisor, excuse me, with the custodian that you're utilizing or custodians, you're utilizing some assurances there. And if anybody has looked at their custodian contract, it's basically, it's a contract that you sign with the custodians, and it's what we call in law a contract of adhesion. Here the terms are the terms, and these are the terms and these are the terms. Sign it if you want our service. So that is, that's problematic if you're, do you see any other issues? Those are the two big things I see.
John Carr (22:52):
No, I mean, those are the big ones. I think another element of it is that the new custody rule extends to any assets that you are in possession or can become in possession of. It used to be customer's funds or securities. So now it's any asset that you're in possession of or can be or become in possession of. I'm struggling to find what other assets that might be other than for a family office. I mean, are you going to be storing the customer's vintage car? Are you going to be having access to their jewellery or their gold or anything like that? So yes, there are scenarios, but I think that's that element of it's less acute, but there are going to be a DV changes associated with it to report this and further data collection by the SEC. They want more data about what you're doing, how you have custody. So I do think that there's exposure to risk there for firms that aren't fully appreciating what it means to have custody under this new rule. If it ultimately passes.
John Cataldo (23:42):
And those clients that are out there, they're still confused about standing letters of authorization and then a no action letter and all that, which understandably so. But the other proposed rule is a third party service provider oversight, basically rule, and John and I talked about this before and you brought it up again during the cybersecurity piece that basically you're codifying, you're verifying these third party providers, you're utilizing for cybersecurity, for this monitoring as your CRM, all these third party providers. You want to, it's going to codify basically you making sure that they're doing what they're supposed to do. You're monitoring them because again, the advisor, you are the fiduciary. And so even if it's they're your third party provider service provider's, total ball drop, the SEC doesn't care. And the clients don't care. The plaintiff's securities lawyers don't care. They're going to name you and the firm directly. So you're the fiduciary. So that's kind of what that piece is, so, right.
John Carr (24:45):
Yeah, I would agree with you there.
Brian Wallheimer (24:47):
Actually. How did, that seems especially difficult for small firms. I mean, we were just in a session a minute ago with Sam Dean who is a one-man shop, and how is he going to make sure that all of the people he's contracting with are meeting those fiduciary responsibilities?
John Cataldo (25:05):
Yeah, it is a problem. I mean, a lot of our clients are very small shops. They might have a number, hundreds of millions, but there's like three or four people running everything. So they're wearing 18 hats. And the SEC gives I my lip service in my mind to the fact that the advisors act, act rules, you know, got to apply them reasonably designed to your operations, but the rules are the same rules. You got to comply with them. And it is burdensome, overly burdensome in my mind, in my estimation for these smaller shops. And sometimes relief is granted by some guidance, but it It's rough. It's rough. And when you have all the large firms, they're having a hard time with this. So big pushback by the Investment Advisor Association on these proposed rules, getting them more defined, giving more time to implement. But it's not an easy piece, Brian, that it, that's, I hear that all the time. That's why some firms have to rely upon consultants and more third party providers to do some of the ongoing compliance monitoring, and then they have to monitor them, but they have to offload some of the day-to-day stuff and have some system in place where they can documenting that they're paying attention and are on top of it. But it's not an easy, it's a heavy lift. It is a heavy lift.
John Carr (26:27):
No, I think that's a good point. And I think that smaller firms need to be mindful of the scope of the vendors that they use. Try to consolidate it as much as you can. If you can consolidate it through a custodial platform. So some of the custodial partners out there also have adjunct services they provide or that are available that they may not own, but that are available as a suite of services. That's certainly helpful because you can rely on that custodian's due diligence. I would try to make sure that when you sign on with that custodian, that you can get that right, that you say on the front end, Hey, X, Y, Z custodian, I'm not going to name any names here. We want to bring all of our assets over to you and we love the services you provide, but I need to know that you can give me your SOC one report, but also that you can share with me your process so that I've got something to show the SEC that the vendors that are downstream that you're using, that there's something in the way, right? Yeah. Larger firms, they're going to expect you to do all that yourself. But smaller firms, I think that's a great way to leverage it. But it is inherently challenging. There's that balance, and you mentioned it, you got to have consultants, right? You're going to have an IT consultant that is going to be setting up your servers, setting up your firewalls and things like that. You might want to make sure that you'll speak with them and say, as I bring on vendors, what can you do to help? Give me a look into these things and provide me with a memo, one page. I mean, I think that's going to go head and shoulders with the SEC. If they come in and they say, Hey, what have you got? I use my outside IT vendor, they're skilled in this area and they look at every single vendor that I use, any technology that I use and implement and confirm that it has meets minimum IT requirements, right? Far better than not having that at all.
John Cataldo (28:10):
Yeah. And an example, it comes up fairly often during exam. What's the point of the S E C doing This is best execution. How are you documenting best execution? There's just a handful of custodians of any size. And note that what, 90%, what is it, John? I mean, some huge high number of advisors utilize these custodians and the best execution. It mattered more in my mind, back in the day when trade costs were fluctuated, when this cost fluctuated and all that, pretty much everybody, the advisors, you get the same execution piece, you get the same price or lack thereof, price, all that. But I tell the clients and the SEC buys it, you know, just write up some sort of a report. You get the reports you can get from your custodian, get some material from one of the other competing custodians and write up a little short couple pay couple paragraph thing. And we looked at this that, but all things considered, we're still getting the best bang for their buck from custodian, whatever. But that's one of the things that you're raised up in. The other piece is that seems like busy work for a small shop when they should be focusing on other things, cyber compliance or servicing the clients, all that. I mean, that's just a comment there.
John Carr (29:29):
It is busy work and it can easily be lost unless you keep a compliance calendar and set aside one day a quarter, two days, a quarter that you say, this is my focus time on this. I'm going to bang out these 15 different requirements. I'm going to look at them, I'm going to get 'em done. I'm going to paper. You got to be diligent with that and set out those sides a quarter. If you try to do it a little bit today, a little bit tomorrow, things slide at a small firm.
John Cataldo (29:53):
Yeah. I can tell you during exams, a number of clients, well, I intended, or I started my annual compliance review. Right. Well, you haven't done it for two years in the two year window for the exam period. It doesn't look good. It's problematic. But yeah, setting, having some sort of system in place, as difficult as it is and devoting a certain amount of time to these compliance processes is huge.
John Carr (30:19):
That's right.
Brian Wallheimer (30:20):
I think that's our time. So thank you so much John and John for sharing wonderful insights with us. Thank you, the audience for being here, and we'll head on to the next session.
John Carr (30:29):
Alright, excellent.
Track 3: New SEC rules and how firms of all sizes can meet compliance challenges
June 23, 2023 2:25 PM
30:37