By Lori Weston, Director of Product and Strategy, STP Investment Services
As a compliance officer responsible for administering your firm’s compliance program, you are keenly aware of your firm’s compliance risks. The SEC requires advisers to implement compliance programs designed to mitigate these risks. As news of SEC enforcements continue to be reported, you’re likely evaluating whether your firm’s compliance program could withstand similar regulatory scrutiny. If you find yourself thinking, “that’s not us,” it may be time to dig deeper. Your firm may have compliance vulnerabilities that aren’t obvious, yet could pose significant regulatory risks.
Artificial Intelligence: How AI Creeps into Compliance
Whether your firm promotes its use of AI or prefers to avoid it, there are AI-related compliance traps you need to consider.
Unknowingly Vulnerable
Many firms believe they are safe from AI-related compliance risks because they have elected not to use it. However, AI can enter through third-party vendor relationships, creating hidden vulnerabilities. In today’s interconnected business landscape, your firm may be unintentionally exposed to AI.
The Hidden AI Risk of Third-Party SaaS Providers
Your firm may unknowingly use AI-driven solutions embedded within third-party SaaS tools, like portfolio management or CRM software. Such tools may contain machine learning models that interact with sensitive client data, creating potential privacy and cybersecurity risks. Compliance officers should understand their vendors’ use of AI, especially when sensitive client information is processed, and perform regular oversight of the vendor’s protocols to protect client information.
AI Use by Employees
Employee actions may also create AI exposure for firms. For instance, an advisory rep might use AI-powered analytics for client reporting or recommendation engines for portfolio management. Meeting regularly with your staff to review the tools they use and their preferred practices can help identify otherwise unknown AI exposure. If your firm allows the use of AI, make sure to conduct due diligence of the tools used. Verify the accuracy of outputs and prevent recommendations based on flawed or biased models. Review your policies to ensure they reflect your firm’s practices and train staff so they understand what is permissible and what is not.
Disclosure Scrutiny
Even firms that openly embrace AI face compliance risks, particularly with disclosures. Regulators demand transparency and failure to accurately disclose your firm’s operational use of AI or exposure through vendor partnerships can lead to compliance violations. Review your Form ADV Part 2A disclosure, marketing materials, and social media posts to confirm that your firm’s use of AI is accurately represented. Recently, the SEC has penalized firms for exaggerated claims around AI, known as “AI washing.” Proper documentation and accurate disclosure of AI usage within your organization is critical given AI’s infancy.
Off-Channel Communications: When Texting for Convenience Crosses the Compliance Line
Mobile devices enhance productivity but can also create compliance risks, especially when employees use personal devices for business communications.
Regulatory Requirement
The Advisers Act requires advisers to maintain communications related to “any recommendation made or proposed to be made and any advice given or proposed to be given.” However, capturing these communications becomes challenging when they occur on non-approved systems, which are considered to be “off-channel.” Add to this the difficulty of determining whether a particular communication qualifies as advice, proposed advice, a recommendation, or a proposed recommendation, and it becomes obvious why firms adopt strict policies that prohibit conducting any company business off-channel.
Innocent Texts Can Lead to Compliance Violations
Consider an example where an employee texts a client to confirm an appointment location. This might seem harmless, but it opens a line of communication that could lead to uncaptured texts containing advice or recommendations.
Another scenario might involve employees discussing a client’s investment strategy. If they later text each other regarding a proposed recommendation, their communication may be required to be retained. Off-channel communications, even among staff, can create compliance risks.
The Scale of the Problem
In the past three years, the SEC has imposed nearly $2 billion in fines regarding recordkeeping failures of electronic communications. Firms of all sizes have been affected. With the prevalence of apps like WhatsApp and SMS in our daily lives, off-channel communications have become a serious compliance issue.
Training and Enforcement
While many firms have policies around off-channel communications, consistent training and enforcement is often lacking. Without regular training, staff may default to non-compliant messaging methods for convenience. The SEC has emphasized that firms should actively enforce these policies through rigorous training and ongoing monitoring.
Monitoring Communications: The Other Side of Compliance
Capturing communications is just part of your firm’s compliance responsibility. Monitoring these communications is equally critical, falling under an adviser’s obligation to supervise staff, monitor for client complaints, and uphold its fiduciary duty to clients.
When it comes to maintenance of required records, including electronic communications, focus on three key elements: (1) robust policies outlining permissible electronic communication channels; (2) regular, ongoing training to all staff regarding the firm’s adopted policies; and (3) a records retention vendor that can capture and maintain communications transmitted via permitted systems. An outsourced compliance provider can help you use these tools most effectively.
Marketing Rule Mishaps: Navigating Modernized, Yet Complex, Regulations
The SEC’s Marketing Rule, introduced in 2022, replaces outdated advertising regulations, allowing more flexibility in marketing. However, it also introduces new requirements that many firms find challenging to implement.
Endorsements and Testimonials
Endorsements and testimonials, common in digital marketing, are permitted when accompanied by specific, prominent disclosures, including whether the individual providing the endorsement is a client or investor, and whether any compensation was given for the endorsement. Failure to meet all disclosure requirements can lead to significant penalties. The risk is particularly high for firms that rely on social media or influencer marketing, where paid endorsements are common.
Awards and Rankings
Advertising awards and rankings also come with numerous disclosure requirements, including whether the firm or individual that received the award paid to participate. Even if your firm’s award or ranking is legitimate, failure to include prominent disclosures regarding the circumstances of earning that award can result in enforcement action.
Advertising Performance
Advertising performance can attract potential clients, but it poses compliance risks, which are exacerbated when hypothetical performance is advertised. Under the Marketing Rule, advisers who advertise performance must present both gross and net results calculated over the same period using consistent methodologies. Hypothetical performance, which is generally considered an advertisement even when presented to only one individual, must be relevant to each recipient’s financial goals, limiting its broad distribution..
Compliance Consulting Protects Your Business
Compliance risks can be hard to spot, from unseen AI vulnerabilities to everyday communication errors and inadequate marketing disclosures. Working with a compliance consulting firm gives you access to a team of experts who are well-versed in regulatory matters and adept in applying the rules to your firm’s specific situation. A proactive consultant protects your firm from compliance risks and allows you to focus on client service and business growth.
Investing in compliance is not just about avoiding penalties; it’s a way to safeguard your firm.
Lori Weston is a seasoned compliance professional with a dynamic career spanning over fifteen years in the financial services industry. Lori currently serves as STP’s Director of Product & Strategy. She was most recently employed by ACA, where she played a pivotal role in developing innovative compliance programs tailored to meet the needs of investment advisers. Prior to ACA, Lori was Managing Director at Foreside, where she served as Managing Director and Compliance Consultant to more than 80 registered investment advisers. Lori began her compliance journey at Lincoln Financial, where she supported independent registered investment advisers, laying a strong foundation in their compliance practices.
The Biggest Compliance Traps That You Don’t Even Know Are Happening at Your Firm
By Lori Weston, Director of Product and Strategy, STP Investment Services
As a compliance officer responsible for administering your firm’s compliance program, you are keenly aware of your firm’s compliance risks. The SEC requires advisers to implement compliance programs designed to mitigate these risks. As news of SEC enforcements continue to be reported, you’re likely evaluating whether your firm’s compliance program could withstand similar regulatory scrutiny. If you find yourself thinking, “that’s not us,” it may be time to dig deeper. Your firm may have compliance vulnerabilities that aren’t obvious, yet could pose significant regulatory risks.
Artificial Intelligence: How AI Creeps into Compliance
Whether your firm promotes its use of AI or prefers to avoid it, there are AI-related compliance traps you need to consider.
Unknowingly Vulnerable
Many firms believe they are safe from AI-related compliance risks because they have elected not to use it. However, AI can enter through third-party vendor relationships, creating hidden vulnerabilities. In today’s interconnected business landscape, your firm may be unintentionally exposed to AI.
The Hidden AI Risk of Third-Party SaaS Providers
Your firm may unknowingly use AI-driven solutions embedded within third-party SaaS tools, like portfolio management or CRM software. Such tools may contain machine learning models that interact with sensitive client data, creating potential privacy and cybersecurity risks. Compliance officers should understand their vendors’ use of AI, especially when sensitive client information is processed, and perform regular oversight of the vendor’s protocols to protect client information.
AI Use by Employees
Employee actions may also create AI exposure for firms. For instance, an advisory rep might use AI-powered analytics for client reporting or recommendation engines for portfolio management. Meeting regularly with your staff to review the tools they use and their preferred practices can help identify otherwise unknown AI exposure. If your firm allows the use of AI, make sure to conduct due diligence of the tools used. Verify the accuracy of outputs and prevent recommendations based on flawed or biased models. Review your policies to ensure they reflect your firm’s practices and train staff so they understand what is permissible and what is not.
Disclosure Scrutiny
Even firms that openly embrace AI face compliance risks, particularly with disclosures. Regulators demand transparency and failure to accurately disclose your firm’s operational use of AI or exposure through vendor partnerships can lead to compliance violations. Review your Form ADV Part 2A disclosure, marketing materials, and social media posts to confirm that your firm’s use of AI is accurately represented. Recently, the SEC has penalized firms for exaggerated claims around AI, known as “AI washing.” Proper documentation and accurate disclosure of AI usage within your organization is critical given AI’s infancy.
Off-Channel Communications: When Texting for Convenience Crosses the Compliance Line
Mobile devices enhance productivity but can also create compliance risks, especially when employees use personal devices for business communications.
Regulatory Requirement
The Advisers Act requires advisers to maintain communications related to “any recommendation made or proposed to be made and any advice given or proposed to be given.” However, capturing these communications becomes challenging when they occur on non-approved systems, which are considered to be “off-channel.” Add to this the difficulty of determining whether a particular communication qualifies as advice, proposed advice, a recommendation, or a proposed recommendation, and it becomes obvious why firms adopt strict policies that prohibit conducting any company business off-channel.
Innocent Texts Can Lead to Compliance Violations
Consider an example where an employee texts a client to confirm an appointment location. This might seem harmless, but it opens a line of communication that could lead to uncaptured texts containing advice or recommendations.
Another scenario might involve employees discussing a client’s investment strategy. If they later text each other regarding a proposed recommendation, their communication may be required to be retained. Off-channel communications, even among staff, can create compliance risks.
The Scale of the Problem
In the past three years, the SEC has imposed nearly $2 billion in fines regarding recordkeeping failures of electronic communications. Firms of all sizes have been affected. With the prevalence of apps like WhatsApp and SMS in our daily lives, off-channel communications have become a serious compliance issue.
Training and Enforcement
While many firms have policies around off-channel communications, consistent training and enforcement is often lacking. Without regular training, staff may default to non-compliant messaging methods for convenience. The SEC has emphasized that firms should actively enforce these policies through rigorous training and ongoing monitoring.
Monitoring Communications: The Other Side of Compliance
Capturing communications is just part of your firm’s compliance responsibility. Monitoring these communications is equally critical, falling under an adviser’s obligation to supervise staff, monitor for client complaints, and uphold its fiduciary duty to clients.
When it comes to maintenance of required records, including electronic communications, focus on three key elements: (1) robust policies outlining permissible electronic communication channels; (2) regular, ongoing training to all staff regarding the firm’s adopted policies; and (3) a records retention vendor that can capture and maintain communications transmitted via permitted systems. An outsourced compliance provider can help you use these tools most effectively.
Marketing Rule Mishaps: Navigating Modernized, Yet Complex, Regulations
The SEC’s Marketing Rule, introduced in 2022, replaces outdated advertising regulations, allowing more flexibility in marketing. However, it also introduces new requirements that many firms find challenging to implement.
Endorsements and Testimonials
Endorsements and testimonials, common in digital marketing, are permitted when accompanied by specific, prominent disclosures, including whether the individual providing the endorsement is a client or investor, and whether any compensation was given for the endorsement. Failure to meet all disclosure requirements can lead to significant penalties. The risk is particularly high for firms that rely on social media or influencer marketing, where paid endorsements are common.
Awards and Rankings
Advertising awards and rankings also come with numerous disclosure requirements, including whether the firm or individual that received the award paid to participate. Even if your firm’s award or ranking is legitimate, failure to include prominent disclosures regarding the circumstances of earning that award can result in enforcement action.
Advertising Performance
Advertising performance can attract potential clients, but it poses compliance risks, which are exacerbated when hypothetical performance is advertised. Under the Marketing Rule, advisers who advertise performance must present both gross and net results calculated over the same period using consistent methodologies. Hypothetical performance, which is generally considered an advertisement even when presented to only one individual, must be relevant to each recipient’s financial goals, limiting its broad distribution..
Compliance Consulting Protects Your Business
Compliance risks can be hard to spot, from unseen AI vulnerabilities to everyday communication errors and inadequate marketing disclosures. Working with a compliance consulting firm gives you access to a team of experts who are well-versed in regulatory matters and adept in applying the rules to your firm’s specific situation. A proactive consultant protects your firm from compliance risks and allows you to focus on client service and business growth.
Investing in compliance is not just about avoiding penalties; it’s a way to safeguard your firm.
Lori Weston is a seasoned compliance professional with a dynamic career spanning over fifteen years in the financial services industry. Lori currently serves as STP’s Director of Product & Strategy. She was most recently employed by ACA, where she played a pivotal role in developing innovative compliance programs tailored to meet the needs of investment advisers. Prior to ACA, Lori was Managing Director at Foreside, where she served as Managing Director and Compliance Consultant to more than 80 registered investment advisers. Lori began her compliance journey at Lincoln Financial, where she supported independent registered investment advisers, laying a strong foundation in their compliance practices.