SEC examiners are warning that many RIAs aren’t giving their chief compliance officers enough authority or resources to properly enforce firm policies.

The agency notices when firms have underfunded compliance departments, Peter Driscoll, director of the SEC’s Office of Compliance Inspections and Examinations, said in a speech last week at an agency outreach event.

The "need for resources must be continually reassessed, as the firm’s business model may grow or shrink, as new business strategies are adopted, or as weaknesses in compliance are identified," he said.

OCIE issued a risk alert last week flagging six areas of “notable deficiencies or weaknesses” in compliance for RIAs, including inadequate resources for compliance departments and insufficient authority for chief compliance officers. The four other areas of concern were annual review problems, failure to carry out written policies, off-the-shelf or incomplete policies, and a lack of properly tailored policies and procedures.

Problem with authority

The SEC noted in the risk alert that a lack of resources was a particular problem among advisory firms that had grown significantly in size or complexity but hadn’t hired additional staff or added adequate information technology, leading to compliance failures.

Carlo di Florio, the former director of OCIE, says if a firm grows and compliance doesn’t follow suit, “it shows the regulator that compliance is an afterthought.”

An advisory firm's compliance spending compared to growth spending is an indicator of whether there’s a “good culture of compliance,” says di Florio, now a partner and global chief services officer at ACA Compliance.

“Firms should appropriately assess their own needs based on their business model, size, sophistication, advisor representative population and dispersal, and provide for sufficient resources as necessary for compliance with applicable laws,” the SEC's Driscoll said in his speech.

The SEC’s risk alert also highlighted problematic cases in which CCOs were prevented from doing their jobs. For instance, examiners had found advisors that restricted their CCOs from “accessing critical compliance information,” such as trading exception reports and investment advisory agreements with key clients. The SEC also found problems among advisors where CCOs were not consulted by senior management and employees of the advisor regarding matters that had potential compliance implications.

“The CCO is not there to fill out irrelevant paperwork or serve as a scapegoat for the firm’s failings,” Driscoll said. Good CCOs can add value to the business by not only helping firms “avoid costly compliance failures” but also guiding advisors on additional business options based on new or amended rules, he added.

Annual review deficiencies

Advisors are required to conduct an annual review of their compliance protocols, but according to the SEC’s alert, there were cases where advisors couldn’t prove those reviews had taken place, or where the reviews were so limited that they didn’t identify any key risk areas.

OCIE also said there were advisors who failed to review compliance procedures for significant parts of their business, such as the “oversight and review of recommended third-party managers, cybersecurity and the calculation of fees and allocation of expenses.”

Earlier this month, the OCIE issued a risk alert on deficiencies it had found in exams of multi-branch RIAs. Last week, the SEC recommended both broker-dealers and RIAs adopt a “dynamic” approach to compliance when dealing with complex exchange-traded products.

The SEC is pushing advisors to take a look at their compliance programs more frequently as business and regulatory landscapes evolve, says di Florio.

“They’re encouraging interim reviews. As you launch a new strategy, you introduce a new product, a new regulation comes out like [the SEC's] Regulation Best Interest, new technology emerges, take the opportunity to take a fresh look at your program,” he says.

Do you have a news tip you’d like to share with FA-IQ? Email us at