On November 9, 2021, the U.S. Securities and Exchange Commission (“SEC”) Division of Examinations (the “Division”) released a Risk Alert (“Risk Alert”) https://www.sec.gov/files/exams-eia-risk-alert.pdf concerning deficiencies it observed in its examinations of investment advisers that provide their investment advisory services online, via mobile applications, or both known as “robo-advisers.” The Division has observed a significant increase in the number of investment advisers choosing to provide automated digital investment advisory services to their clients. The Risk Alert states that “the use of automated digital investment advisory services “robo-advisory services” can have important investor protection implications.” Moreover, the Risk Alert states that “when robo-advisers fail to comply with their regulatory obligations, investors may experience poor outcomes. If, for example, a robo-adviser’s client survey process does not appropriately capture a client’s risk tolerance, it could result in advice to invest in securities that are not aligned with the client’s best interest. Similarly, if a robo-adviser is programmed to act on conflicts of interest that raise the costs or decrease the quality of the services provided, the client may be harmed as a result of the adviser’s putting its own interests ahead of its clients.
The observations noted on the Risk Alert are based on Division examinations regarding how robo-advisers were fulfilling their fiduciary duties to: (1) provide clear and adequate disclosure regarding the nature of the advisers’ services and performance history; and (2) act in their clients’ best interests. According to the Risk Alert, nearly all of the examined robo-advisers received a deficiency letter, with observations most often noted in the areas of: (1) compliance programs, including policies, procedures, and testing; (2) portfolio management, including, but not limited to, an adviser’s fiduciary obligation to provide advice that is in each client’s best interest; and (3) marketing/performance advertising, including misleading statements and missing or inadequate disclosure. The Division also noted that robo-advisers were relying on, but not acting in accordance with, the Internet Adviser Exemption and Rule 3a-4 under the Investment Company Act of 1940.
Focus of Examination
The Division’s examination focused on robo-advisers’ practices in the following areas, including their adherence to their fiduciary duty:
- Compliance Programs: the staff assessed whether compliance policies and procedures, particularly those related to the provision of robo-advisory services, were adopted, implemented, reasonably designed, and tested at least annually.
- Formulation of Investment Advice: the staff evaluated whether robo-advisers gathered sufficient information from clients to form a reasonable belief that clients were receiving investment advice that was in their best interest based on each client’s financial situation and investment objectives.
- Marketing and Performance Advertising Practices: the staff examined robo-advisers for compliance with the “Advertising Rule.”
- Data Protection Practices: the staff examined robo-advisers’ policies and procedures regarding client data protection, including cybersecurity practices.
- Registration: the staff reviewed the robo-advisers registration information to determine whether the advisers were eligible for SEC registration as investment advisers.
According to the Risk Alert, the Division’s staff made the following observations regarding its examinations regarding robo-advisers:
1) Most of the robo-advisers had inadequate compliance programs, typically as a result of either a lack of written policies and procedures or having ones that were insufficient for their operations, unimplemented, or untested.
Specifically, the staff observed robo-advisers that did not:
- Include elements in their policies and procedures specific to their use of an online platform and/or other digital tools for the provision of investment advice, such as assessing whether the advisers’: (1) algorithms were performing as intended; (2) asset allocation and/or rebalancing services were occurring as disclosed; and/or (3) data aggregation services did not impair the safety of clients’ assets as a result of the adviser having direct or indirect access to clients’ credentials (e.g., pins and passwords). Additionally, advisers using business-to-business platforms (e.g., “white-label platforms”) lacked policies and procedures that addressed the platform providers’ attention to these matters.
- Undertake a sufficient review of their policies and procedures at least annually to determine their adequacy, the effectiveness of their implementation, or both.
- Failed to recognize that certain practices constituted custody, causing the adviser to violate the “Custody Rule.”
- Comply with the “Code of Ethics Rule.” For example, some advisers did not: (1) receive the required holdings and/or transaction reports from all access persons, typically because not all access persons had been identified; (2) obtain or maintain the required written acknowledgements from all supervised persons confirming receipt of the advisers’ codes; and/or (3) include in their codes all required provisions.
2) Many of the robo-advisers were not testing the investment advice generated by their platforms to clients stated or platform-determined investment objectives or otherwise satisfying their duty of care.
The staff observed robo-advisers that:
- Either lacked written policies and procedures that would allow the firms to develop a reasonable belief that the investment advice being provided to clients was in each client’s best interest based on the client’s objective or adopted policies and procedures that were inadequate or not followed. A review of practices revealed that, while advisers commonly used questionnaires to collect client data, some firms relied on just a few data points to formulate investment advice. This raised the concern that the questions did not elicit sufficient information to allow the adviser to conclude that its initial and ongoing advice were suitable and appropriate for that client based on the client’s financial situation and investment objectives. In addition, many advisers did not periodically evaluate whether accounts were still being managed in accordance with the clients’ needs, such as by inquiring about any changes in their financial situation or investment objectives or having clients update or retake their questionnaires.
- Lacked written policies and procedures related to the operation and supervision of their automated platforms, increasing the risk of algorithms producing unintended and inconsistent results (e.g., due to coding errors or coding insufficient to address unforeseen or unusual market conditions, such as those caused by geo-political events, substantial oil price movements, or interest rate changes).
- Lacked adequate oversight of their automated platforms to monitor and prevent rebalancing errors and other trade errors at firms that.
- Lacked written policies and procedures to prevent violations of legal requirements related to their duty to seek best execution (some robo-advisers did not conduct, or document the details of, a best execution review, while others did not appear to be aware of their best execution obligations at all).
|PRACTUS NOTE: The SEC settled an action against an investment adviser and several of its affiliates for alleged misconduct associated with the use of quantitative models. While the investment adviser was not a robo-adviser, the comparable nature of the technology used by robo-advisers makes the case extremely relevant in the application of the SEC’s expectations. In particular, the order asserted that the adviser did not (i) confirm that the quantitative models worked as intended, (ii) provide sufficient oversight of the development and operation of the models; (iii) make adequate disclosures regarding the relevant experience levels of the personnel involved in administering the models, and (iv) disclose the risks and limitations of the models. It was also noted that the models contained numerous errors, such as incorrect calculations, inconsistent formulas among other errors. The consequences of this action were quite significant monetarily in that the adviser and its affiliates agreed to pay roughly $53 in disgorgement and interest and over $36 million in penalties. This case highlights the potential consequences of not establishing effective oversight of the design, implementation and operation of any models used by a robo-adviser and the importance of disclosure of material functions and limitations of such models to investors.|
- Had purported third-parties recommend the robo-advisers or provide execution services for advisory clients, but did not disclose that these parties were, in fact, affiliated with, and received compensation from, the advisers for the referrals, trades executed, or both.
- Omitted or had insufficient disclosure regarding how the robo-adviser collects and uses information gathered from a client to generate a recommended portfolio, or how and when rebalancing occurs.
- Omitted disclosures regarding processes for addressing profits and losses from trade errors.
- Provided inconsistent disclosures in various documents regarding advisory fee calculations.
|PRACTUS NOTE: Given that robo-advisers conduct the overwhelming majority of their business and communications with investors online, through electronic platforms and other electronic medium, robo-advisers should evaluate the level of detail of the disclosures provided to investors. In addition, all advisers have a fiduciary duty to their clients, and may not put their own interests ahead of their clients. If a robo-adviser is receiving any monetary benefits from third-parties in connection with the services provided to its clients, this could be direct compensation but also can include cost avoidance, these arrangements must be disclosed to clients.|
4) More than one-half of the robo-advisers had advertisement related deficiencies. For example, the staff observed advisers that:
- Made misleading or prohibited statements on their websites, such as: (1) using vague or unsubstantiated claims that could cause an untrue or misleading implication or inference to be drawn regarding the advisory services provided, investment options available, performance expectations, and costs incurred in investing (e.g., a comparative analysis of adviser-offered versus other products and services); (2) misrepresenting SIPC protections by implying that client accounts would be protected from market declines; (3) using press logos (e.g., ABC, CNN, Forbes) without links or disclosure that would explain their relevance; and (4) referring to, or providing links to, positive third party commentary, without disclosing the relevance, any conflict of interest (e.g., adviser compensation), or both.
- Used materially misleading performance advertisements on their websites, including hypothetical performance results of an investment model applied retroactively without including disclosures that would make the presentation not misleading.
- Provided inadequate or insufficient disclosure about “human” services (e.g., whether interactions with live individuals are available, mandatory, or restricted; whether they cost extra; or whether the client is assigned a financial professional).
|PRACTUS NOTE: The SEC adopted a new advertising rule that will go into effect in November 2022. The new advertising rule changes the advertising landscape, including with regard to the use of hypothetical, projected and other types of performance information. All advisers must ensure that any marketing materials or other communications that are advertisements under the new rule must be in compliance by the November 2022 deadline.|
5) The staff observed that while all of the robo-advisers had business continuity plans, and the vast majority had implemented written policies and procedures regarding identifying and recovering from cybersecurity events, fewer advisers had policies and procedures that addressed protecting the firm’s systems and responding to such events.
6) The staff observed that robo-advisers were not in compliance with Regulation S-ID, Regulation S-P, or both because they: (1) had “covered accounts,” but lacked written policies and procedures designed to detect, prevent, and mitigate identity theft; (2) lacked or did not implement written policies and procedures addressing compliance with certain elements of Regulation S-P; and/or (3) did not deliver initial and/or annual privacy notices to all clients when required to do so.
7) Nearly half of the robo-advisers claiming reliance on the Internet adviser exemption were ineligible to rely on the exemption, and many were not otherwise eligible for SEC-registration. The staff observed advisers that: (1) did not have an interactive website; or (2) provided advisory personnel who could expand upon the investment advice provided by the adviser’s interactive website or otherwise provide investment advice to clients, such as financial planning.
8) The staff observed that some robo-advisers’ affiliates were operating as unregistered investment advisers because they were operationally integrated with the respective advisers. Such affiliates could not rely on the Internet adviser’s registration as a basis for their own registration, as such reliance is prohibited under Advisers Act Rule 203A-2(e)(iii).
Conclusion (Key Takeaways)
It is clear from the Division’s observations that an out of the box compliance program will not be sufficient to address the specific needs of a robo-adviser. As with all compliance programs, robo-advisers need to customize their policies and procedures and tailor them to their business but beyond that, these policies and procedures must address the unique ways in which robo-advisers provide advice to investors (through algorithmic models), the supervisory structure relating to the provision of advice (not just people, but technology too), communicate and collect information to/from clients (through various electronic means), and the level of detail of disclosures provided to clients (particularly given limited personal interaction), among other things. For legal and compliance professionals these issues can be very complex due to the sophisticated nature of the technology used and how to align those practices with robust oversight (e.g., model validation and administration). That said, legal and compliance professionals should evaluate both their resources and capabilities to perform these very important functions and consider the use of experts where needed to ensure any applicable compliance framework is consistent with the SEC’s expectations.
Who should you talk to if you have further questions?
If you would like further information concerning the matters discussed in this Legal Insights, please contact the following: