The U.S. Securities and Exchange Commission’s Risk Alert provides additional information regarding the Division of Examination’s risk-based approach for both selecting registered investment advisers to examine and in determining the scope of risk areas to examine. It sets out the documents and information that staff will initially request as well as additional requests for information and documents from the adviser the staff may request as the examination progresses. Firms need to be aware that electronic communications–with all of the modalities such as emojis, GIFs, additions and deletions–are specifically included in the regulator’s risk-based approach.
Some of the reasons the Division may select an adviser to examine include, but are not limited to, one or more of the following:
- the firm’s risk characteristics
- a tip, complaint, or referral
- the staff’s interest in a particular compliance risk area – one of which is clearly recordkeeping given the recent expansion of enforcement action to include investment advisers.
There are also firm-specific risk factors that the staff considers when selecting advisers for examination, such as those related to a particular adviser’s business activities and regulatory history.
Examinations typically include reviewing advisers’ operations, policies and compliance practices with respect to certain core areas. Information regarding the compliance program, risk management, and internal controls includes specifically complaints, correspondence and electronic communications. As well as the process for monitoring those communications.
Firms need to be aware that the scope of electronic communications need to be considered. For instance, the expectation is that a firm can identify, capture, search for and retrieve an angry face emoji which may well be deemed a complaint.
During an examination, the regulator’s staff will request documents and information and will expect the firm to be able to retrieve all the requested records promptly in order to be able test the effectiveness of the adviser’s compliance policies and procedures for monitoring, mitigating, and managing risks. Simple policy maintenance is not enough – firms need to be able to evidence that their policies and procedures are working in practice.