NEW YORK (Thomson Reuters Regulatory Intelligence) - The end of the year is often when investment adviser compliance departments plan for representative training for the coming year. Adviser training must reflect the firm’s unique operations and population of representatives, but it must also reflect broader compliance matters in the industry. A training plan that incorporates both firm-specific issues and “hot topics” will not only reduce regulatory risk on many fronts but promote a culture of compliance and risk management within the firm.
For 2018, these hot topics include cyber security, social media, electronic messaging and disaster recovery. Whether a firm is choosing training topics from a third-party catalog or creating content of its own, such topics should be high on the list for consideration.
Broker-dealers have been subject to detailed training requirements for many years. The training requirements for broker-dealers include a firm element and an individual element consisting of continuing education based on the individual securities licenses held.
Investment advisory firms do not have a specific firm-element requirement, and even though many investment advisory representatives have qualified to offer advisory services by passing an exam, such as Series 65, a continuing education element does not exist.
However, firms have found training to be the best tool to reduce and mitigate firm risk and set the tone for a firm’s compliance program. A strong tone of compliance is especially important when the Securities and Exchange Commission determines the scope of a firm’s examination and the areas to be reviewed.
A chief compliance officer bears a major share of the adviser’s compliance burden. The compliance chief is expected to be competent and knowledgeable, and responsible for administrating the adviser’s compliance program. However, the rest of the staff can be held personally liable for their own compliance violations, in addition to creating liability for their firm. In that sense, CCOs and firm personnel in general need to realize they are in this together.
Training should be available not only to employees who may seem to pose less risk to the firm’s compliance, such as receptionists, mailroom personnel, or clerical assistants, but to all personnel, including the most senior executives, whose commitment to compliance training will help to set the tone at the top.
Advisers have been using technology as a way to facilitate training. Many firms will use third-party online course materials that will allow the representative to log in and complete the exercise. The software will track completion and create proper records for regulatory examinations. However, small firms may continue to create their own course material or rely strictly on an in-person annual compliance meeting.
A training plan that captures a firm’s definite risks is imperative; however one that also addresses the current regulatory environment and new risks that face advisers is suggested. These current topics can be learned from compliance conferences, professional publications, recent enforcement actions and SEC risk alerts. At a minimum, a firm should review the SEC’s published annual exam priorities to identify those with relevance to the firm.
Using regulatory priorities and compliance hot topics in training also exhibits proper dedication to the CCO position. The SEC expects the CCO to be trained and have sufficient knowledge of the rules. An awareness of regulatory priorities and current risks facing the industry in associate training points to a competent CCO.
Topics to consider for training in 2018 include:
The online security and protection of client private information has become a primary compliance obligation. Employee training on the topic is imperative. The technology is changing quickly and training must attempt to keep up. A firm must review its own policies concerning current cyber security threats and common mistakes that raise the risk of an attack.
A firm’s training may cover password protection practices, two-factor authorization, mobile device security, and common avenues that criminals may use to exploit data.
In addition, the training must address the actions to undertake, including who to contact, if sensitive information was lost, stolen, or unintentionally disclosed.
The use of social media has become standard not only in personal life but also in business. Training should include the firm’s policies and procedures for social media. An employee must be aware of policies including social media usage and approval guidelines.
In addition, the training may cover rules or regulations that can be violated by certain social media posts or actions.
A firm must have a policy for the use of text and instant messaging. The practice has become a communications staple for many, and in some cases it can put advisers in regulatory risk if not retained and supervised.
The employees of an advisory firm must be aware of what programs can be used and their limitations. For example, the widely used iMessage on Apple devices is encrypted. The encrypted text information makes it virtually impossible to retain and review for compliance purposes. In addition, WhatsApp, an application that allows free cross-platform instant messaging for mobile devices, encrypts and messages and allows senders to delete messages after they have been sent.
In 2017, the United States has seen a multitude of natural disasters that can swiftly wipe out a firm’s records and devastate its ability to continue business.
A firm’s employees must prepare for a disaster as part of the adviser training program. The employees should know how to recover data, access backups, internally communicate, contact third parties and relocate if possible.
The training can be specific to the firm’s current plan components but a CCO can also rely on its employees to identify any new risks or ideas for improvement to the business continuity plan during training sessions.
(Jason Wallace is a senior editor for Thomson Reuters Regulatory Intelligence. Follow Jason on Twitter @Wallace_iabrief. Email Jason at firstname.lastname@example.org)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Dec. 26. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters