A good RIA compliance program can save you a lot of time and money (and headaches) in the future. It isn't something to take lightly when setting up your new RIA and this guide gives you everything you need to know to set up your RIA compliance program at your firm.
Having established more than a dozen registered investment advisers and worked with hundreds of legal and compliance professionals, I’ve seen nearly every possibility in which RIAs fulfill their regulatory obligations. While these regulatory rules, guidance notes, court cases, no-action letters, and legal interpretations can fill a library, an RIA’s role in keeping the SEC happy can simply be summarized as:
Adopting written policies and procedures reasonably designed to prevent violations of securities laws;
Annually reviewing those policies and procedures; and
Designating a Chief Compliance Officer.
Advisors that are considering going independent and forming their own RIA have likely depended in large part on an existing compliance infrastructure. This might have been a branch manager or an in-house compliance team that reviewed your marketing materials and asked you to disclose gifts, entertainment, political contributions and outside business activities. Each of those responsibilities (and many more) now fall on the advisor once you establish your RIA.
There are a few ways to tackle this. First is with the CCO appointment:
Serve as the CCO yourself;
Appoint someone on your team to be CCO; or
Hire a consultant as a CCO.
Once you have a CCO, you have two options to develop your compliance program:
Produce this on your own using resources provided by the SEC (and google); or
Hire a consultant to develop your program.
It’s important to note that this is not a “pass the buck” exercise. Simply appointing a CCO and making that person responsible for compliance doesn’t absolve the CEO (President, Manager, or whatever title you chose if it’s your RIA) of responsibility. Always remember that it’s your RIA and you are ultimately accountable for the RIA fulfilling its regulatory obligations and not violating state or federal securities law. If anything, the SEC tends to be more forgiving to the CCO, provided the CCO demonstrates sufficient authority and seniority with respect to carrying out the compliance program!
Selecting the best choice
Let me save you some trouble in spending too much time deliberating. Hire an outsourced CCO to develop and administer your compliance program. Think about the trade off: launching an RIA tends to be one of the biggest professional decisions an advisor makes. Would you rather spend your time focusing on what you’re good at (e.g. building a business, spending time with your clients, etc.) or learning the complex world of the 1940 Investment Advisers Act and subsequent 80 years of rule-making? Most of your colleagues agree: less than 10% of RIAs with fewer than $250 million in AUM have a full-time dedicated CCO.
Stick with your strengths, and hire someone that knows what they’re doing. You might ask:
“What if I take on the CCO title and just hire a consultant to do all the compliance work?”
Fair question, and a common, more cost-effective solution, too. This comes down to bandwidth and comfort. You may find a consultant that you think would be great to work with, but won’t take on the CCO title. Alternatively, you might find a mediocre consultant that’s happy to assume the CCO role. It’s best to evaluate each, determine who you’re more comfortable trusting to give you sound advice, and proceed accordingly. Again, as the sole operator of your RIA, the buck stops with you, so you can worry less about titles.
At some point it will make sense to hire an in-house compliance resource. That tends to happen around the $250-300 million mark. We can cross that bridge when we get there!
How do I hire a consultant?
There are five factors I always consider when hiring any outsourced compliance resource: expertise, bandwidth, patience, risk appetite and cost.
Expertise. This is a no brainer. You need someone that knows what they’re doing. The CCO should have a minimum of 10+ years of experience for at least 10 or more RIAs. It might feel like an oversimplification, but the reality is that this is a numbers game. Over the last decade, the SEC examined between 8-15% of RIAs each year. State regulator numbers vary, but not by too much. It’s possible for a CCO for an RIA to go years without an examination; however, if you find a CCO that’s been in business long enough, he or she will inevitably have some regulatory experience which is critical to developing and administering a sound program. You may find larger consultants that appoint a CCO with a limited track record but supported by a Partner or Senior Manager with decades of experience. This can work; however, you should pay close attention to the support you’ll get from the more senior team members and how much more you’ll need to pay.
Bandwidth. Think about your clients. How much time and attention do you give them? How do you determine which clients get daily, weekly, monthly or quarterly calls? Compliance consultants are no different. Have that conversation up front and be candid, otherwise you’ll invite inevitable frustration. If you want to be able to call someone at any time for any reason, let them know. Most consultants are accustomed to routine calls, check-ins, and doing as much by email as possible. If a high personal touch is important to you it’ll likely limit your pool of options, but you’ll at least get a better outcome to help you sleep better at night.
Patience. Compliance consultants are notorious for “bucketing” their clients. They’ll spend some time getting to know your business, your client types, and your portfolio management and trading strategies, and then they’ll designate a more or less generic approach for your compliance program that’s in line with other firms “like you.” This process has frustrated me to no end. No two RIAs are alike, and no two advisors are alike. Every now and then, I’ll come across a consultant that spends days or weeks understanding my business. They ask questions that sometimes I haven’t considered, but immediately make me think this person is curious enough to help me find and mitigate risks. From your client’s perspective it’s no different: the more they feel you take the time to understand them, the more they tend to trust you. Apply the methodology here and work with someone that will give you plenty of time to ask and answer questions.
Risk appetite. Think of two ends of the spectrum: (1) strict adherence to the letter and spirit of the law; versus (2) complete disregard of the law. The second half of that spectrum is an obvious non-starter. However, the first should give you some pause. Does that mean you shouldn’t strictly follow the rules? Of course not. But securities law isn’t black and white. Even after 80 years of rule making, there’s still a ton of gray area, and that area continues to expand as new technologies, communication mediums, and financial instruments are created. Working with a compliance consultant that isn’t comfortable operating in the gray area and simply gives you the strict interpretation at every turn isn’t wise. You won’t get into regulatory trouble, but you could also be unnecessarily hamstringing your business opportunities and growth. Find a consultant that will take the time to do a comprehensive risk assessment with you, identify where the two of you are comfortable operating in the gray area, and get on the same page about how you’ll tackle those questions.
Cost. You get what you pay for. I’ve paid between $50 an hour for compliance support up to $1,100 an hour (solely driven by how deep the pockets of my firm might have been at the time). The key here is not that a $250/hour consultant is half as good as a $500/hour consultant. Instead, the focus for you is that in light of the factors above, which consultant is going to give you the most comfort and what are you willing to pay for it? If frequent communication is paramount, then shell out a bit more for it. If finding someone that’s super comfortable operating 100% in the gray areas of compliance is important to you, then you’ll need to pay more. But if you want a run of the mill standard program that’ll never be bespoke to your business, you’ll probably pay bottom dollar. Be honest with yourself, have the discussion up front, and please read the fine print so you know exactly what you’re paying for.
We hope this information is useful to you in setting up your RIA compliance program. As always, pleaselet us knowif you have any questions. And in case you missed it, be sure to catch up on the previous articles in the series: