Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News July 17, 2017 Issue

Cybersecurity Hottest Compliance Topic among Advisers in 2017, Survey Finds

It was true for the past three years, and it’s true again in 2017: Cybersecurity is the hottest compliance topic among investment advisers, according to a nationwide survey released this month. Eighty-six percent of advisers think so. Custody is a distant second, with 26 percent of advisory firms ranking it as the most important compliance concern.

That’s according to the 2017 Investment Management Compliance Testing Survey, a joint effort between ACA Compliance Group, the Investment Adviser Association and asset management holding company OMAM. 2017 marks the 12th year the survey has been conducted.

Not only is cybersecurity the hottest compliance topic, "firms continue to devote more resources to it," said IAA assistant general counsel Sanjay Lamba.

As for technology overall, "the survey had some really interesting results with regard to the role of technology in the compliance industry," said ACA Compliance Group managing director Lynne Carreiro. "For example, more than half of the respondents indicated that they have increased the use of technology in the management of their compliance program, with 57 percent reporting that they expect their use to increase again next year."

"Firms not employing technology to manage compliance may find themselves quickly behind in best practices," she said.

The survey results represent responses from compliance professionals at 599 advisory firms. Those responses come from a variety of firm sizes, with 39 percent managing less than $1 billion, 39 percent managing $1 billion to $10 billion, and 22 percent managing more than $10 billion. Of those responding, 57 percent of the firms said they represent high-net-worth individuals with accounts of $1 million or more, 53 percent represent institutional clients, 50 percent represent private funds, 46 percent represent ERISA assets or pension consultants, 33 percent represent retail individuals with accounts of $1 million or less, 30 percent represent registered investment companies, and 20 percent represent family offices.

The survey polled advisory firms on compliance testing in eight areas. These were remote/branch office supervision; use of automation; fees and expenses; wrap programs; whistleblowing; business continuity and transition planning; impending regulations, particularly Form ADV Part 1A and liquidity risk management; and international regulation.

Here are the top rankings in terms of what advisers rated the "hot topics" in compliance for 2017:

  • Cybersecurity/privacy/identity theft. The 86 percent who cited this as their firms’ hot topic represented a slight decline from 2016, when 88 percent represented the topic that way, a percentage that was also the case in 2015. In 2014, 75 percent listed cybersecurity as number one. Before that the number drops precipitously: 14 percent listed the topic as being of the most concern in 2013, while 15 percent did so in 2012.
  • Custody. This was ranked as the most important compliance concern by 26 percent of advisory firms responding. While well below cybersecurity, the custody ranking is more than double what custody ranked in 2016, when 10 percent of advisers listed it as the number one hot topic. Lamba suggested that this result is not surprising, given recent SEC staff custody guidance on standing letters of authorization, first-person transfers, and inadvertent custody. The percentages that listed custody as the most important compliance topics in previous years were as follows: 18 percent in 2015, 23 percent in 2014, 20 percent in 2013, and 12 per cent in 2012.
  • Regulatory reporting. This topic appeared for the first time on the list, possibly because 2017 is the year that advisers have to meet the new reporting requirements on their Form ADV that were adopted by the SEC in 2016 (ACA Insight, 6/26/17).
  • Disaster recovery. Coming in third in 2017, disaster recovery was listed the most important compliance topic by 20 percent of respondents. That compares to 8 percent in 2016, 17 percent in 2015, and 16 percent in 2014.

Other topics listed as the hottest compliance issues in 2017 include advertising / marketing (listed by 17 percent), anti-money laundering / Foreign Corrupt Practices Act / anti-bribery (listed by 14 percent), and fraud prevention (listed by 11 percent).

Amount of testing

Among the compliance testing questions asked by surveyors was whether firms had increased or decreased the amount of testing performed in specific areas.

  • Firms reported increasing the amount of testing in cybersecurity/privacy/identify theft (76 percent), advertising/marketing (40 percent), disaster recovery planning (38 percent), best execution (30 percent), and electronic communications surveillance (29 percent).
  • On the decreased testing side, the top area that saw decreased testing was trading issues, with 5 percent of responding advisory firms stating that they were doing less. Seventy-two percent of firms said that they had not decreased testing in any area.
  • Finally, 32 percent of advisory firms said that they conduct mock SEC exams in order to test their compliance measures.

Compliance costs

The cost of compliance can vary widely, depending on factors such as firm size and resources, the complexity of the compliance practices, and how a firm goes about ensuring that its practices are compliant. Here’s how those costs broke out in the survey results:

  • About 22 percent of advisers reported spending less than $100,000 on compliance,
  • Twenty-six percent of firms spent from $100,001 to $250,000,
  • About 22 percent incurred compliance expenditures for between $250,001 and $500,000,
  • About 17 percent spent between $500,000 and $1 million on compliance,
  • About 12 percent spent more than $1 million but less than $5 million; and
  • About 2 percent of respondents spent $5 million or more on compliance.

What compliance areas did those firms spend their money on? According to the survey results, the top four compliance costs were:

  • Internal compliance personnel (80 percent),
  • Third-party compliance consultants (33 percent),
  • Technology (32 percent), and
  • Outside legal counsel (27 percent).

Trend updates

Part of the survey results provide updated information on certain trends, among them cybersecurity, oversight of third parties, soft dollars and pay to play. Among the findings were that:

  • Seventy-four percent of firms reported that they have a formal, written cybersecurity program;
  • Twenty percent do not have a standalone cybersecurity policy, but have cybersecurity policies and procedures that are incorporated into other policies and procedures;
  • Forty-four percent of firms purchased cybersecurity insurance, and 20 percent did so with total coverage of $1 million to $3 million;
  • The top three third parties reported by advisers were email archival vendors, attorneys and independent qualified custodians. Forty-six percent of respondents reported having third parties sign confidentiality agreements, 36 percent require completion of a questionnaire, and 45 percent perform a due diligence review.
  • In terms of soft dollars, 41 percent of advisers that took part in the survey reported that they do not engage full service broker-dealers and do not receive proprietary research, while 39 percent said that they do make use of broker proprietary research and other services from full-service brokers. Twenty-eight percent said they make use of outside research and other services from third-party independent research providers, paid for by their broker-dealers.
  • Forty-three percent of advisers said that they have adopted a pay-to-play policy as part of their other policies, while 35 percent said that they have adopted a formal, standalone pay-to-play policy. Six percent said that their policy is a flat prohibition on contributions, while 1 percent said that they are in the process of developing a policy.
  • As far as testing pay-to-play compliance, 39 percent said they do so annually, 24 percent said they do so quarterly, 8 percent said they do so semi-annually, 2 percent said they do so monthly, and 19 percent said that they do not test pay-to-pay compliance.

Other findings of note

Advisers might be interested in learning some of the other results from the survey. These include:

  • Automation. Sixty-seven percent of participants reported using automated/electronic compliance systems. The most frequently automated compliance tasks reported were personal trading (81 percent), gifts and entertainment (54 percent), political contributions (47 percent), client guideline monitoring (35 percent), portfolio management (33 percent) and trade allocation (33 percent).
  • Fees and expenses. The most common tests conducted in regard to fee arrangements reported by survey respondents included whether clients are billed advisory fees in accordance with the terms of their advisory contracts (83 percent); whether the description of fee arrangements in Form ADV is accurate, current and consistent with the compensation arrangements in advisory contracts (75 percent); and ensuring that the amount of assets under management on which the advisory fee is billed is accurate (72 percent).
  • Wrap fee programs. Among the top compliance testing for wrap fee programs reported on the survey was reviewing the Form ADV disclosure (81 percent), performing due diligence on the sponsor (35 percent), reviewing client trading to confirm that the sponsor’s trading achieves best execution (35 percent), and reviewing broker allocations (29 percent). Forty-one percent of respondents said that they rely on the wrap sponsor to ensure that the wrap arrangement is beneficial.