2018 Compliance Testing Survey: Cybersecurity Still Top Concern, Use of Technology on the Rise

Washington, DC (July 25, 2018) – For the fifth year in a row, cybersecurity continues to be the biggest compliance concern at registered investment adviser firms – with 81 percent of survey respondents identifying cybersecurity as the “hottest” compliance topic and nearly two-thirds indicating that their firms increased compliance testing in this area over the past year. The survey results also reflect the impact that technology is having on firms more broadly, the use of social media, tools to fight cybersecurity threats, and the role of automated compliance systems.   

Compliance professionals at 454 investment adviser firms participated in the 2018 Investment Management Compliance Testing Survey, conducted jointly by the IAA and ACA Compliance Group.  Firms of all sizes responded, with 30 percent of respondents managing less than $1 billion, 45 percent managing $1 billion to $10 billion, and 25 percent managing more than $10 billion. Two-thirds (64 percent) of responding firms reported having 50 or fewer employees, which is consistent with industry data showing that the vast majority of investment advisers are small businesses. This year’s survey also revealed that the majority of CCOs (66 percent) continue to wear more than one hat (with 20 percent also serving in some legal capacity).
 

“Now in its 13th year, the survey continues to be an invaluable resource for compliance professionals for identifying compliance trends and benchmarking their practices against other firms in the industry. Among the many key takeaways of this year’s survey is that the job of a CCO is becoming more complex and varied, as demonstrated by the wide range of legal and compliance areas CCOs are responsible for, with new ones being added every year,” said IAA President & CEO Karen Barr. 

“As with previous years, we found that the role of the CCO and compliance in general has continued to grow in complexity. This is mostly due to regulatory changes and the expanding scope of responsibilities that compliance teams have taken on,” said Enrique Alvarez, Senior Principal Consultant at ACA Compliance Group. “To address this, we found that participants are not adding more resources and instead are implementing and using technology and service providers to fill the gaps where needed.”

Compliance professionals ranked issues relating to the SEC’s Advertising Rule as the second hottest compliance topic (29 percent) after cybersecurity – not surprising, given the SEC’s recent focus in this area. This includes concerns raised by the SEC staff in a published Risk Alert regarding the most commonly cited Advertising Rule deficiencies in examinations and the agency’s consideration of potential amendments to the Advertising Rule.  Other areas of concern identified by respondents were issues relating to custody, with 28 percent of survey respondents identifying it as the third hottest topic and many expressing concerns with custody-related disclosures in Form ADV. Issues relating to privacy rounded out the top four compliance concerns.

The 2018 survey, conducted online through May, covered a wide range of topics. Other notable findings include:

• Use of automation:  Close to 70 percent of respondents use some form of technology in their compliance program, with the most common usage involving personal trading/code of ethics, gifts and entertainment, political contributions, and client guidelines. Over half of survey respondents anticipate increasing their use of technology.
• Fees and expenses:  The vast majority of survey respondents test fee calculations (88 percent), with most testing on a periodic sample basis (55 percent). With respect to expenses, the top three tests are making sure expenses are consistent with advisory contracts (47 percent) or fund offering documents (41 percent), and that the expenses billed to clients are explicitly disclosed in the firm brochure (45 percent).
• Investment Mandates:  Nearly half (46 percent) of firms consider environmental, social, and governance (ESG) factors in managing client portfolios, with 62 percent indicating that their investment teams analyze ESG factors. With respect to investment mandates more generally, most firms (93 percent) have policies and procedures to ensure that client objectives and restrictions are being met with 42 percent using front-end automated compliance systems.
• Data Analytics:  A majority of firms (67 percent) said that they do not use trading data analytics to monitor trading activity. Of the survey respondents that do, about half use third-party software and the other half use internal trading data surveillance. Survey respondents were also asked about the use of technology to mine or survey data. Most firms (70 percent) do not currently use alternative data research, but of the firms that that do, 18 percent have dedicated policies and procedures regarding its use.
• Custody: The top three controls relating to safeguarding client assets are conducting background and credit checks on access employees (55 percent), providing custodians with a list of authorized employees (52 percent), and limiting employees who are authorized to transmit trade orders (51 percent). With respect to the SEC staff’s February 2017 custody guidance, survey respondents cited complying with the SLOA no-action letter and conducting due diligence regarding inadvertent custody as steps they have taken to avoid or limit having custody since the guidance was issued.
• Best Execution:  The vast majority of survey respondents (88 percent) evaluate best execution with respect to the following types of transactions:  equities (81 percent), fixed income (44 percent), derivatives (18 percent), and foreign currency transactions (17 percent). A majority of respondents (53 percent) never accept client-directed brokerage whereas less than one-third (24 percent) almost always do so without imposing limits.
• Soft Dollars:  While 29 percent of respondents reported that their firms do not engage full service broker-dealers and do not receive proprietary research, 39 percent reported receiving proprietary research from brokers and 29 percent reported receiving outside research from independent providers. Fully 79 percent of respondents indicated that they were not impacted at all by the new MiFID II requirements that firms unbundle research.
• Advertising/Social Media:  The most common controls relating to advertising are requiring formal pre-approvals by CCOs (67 percent) and requiring pre-clearance with interactions with the media (54 percent).  The vast majority of firms reported having related written policies and procedures (86 percent) and common testing of marketing activities include reviewing the firm website (70 percent) and conducting focused reviews of newly-created documents (64 percent).  The use of social media is on the rise, but slightly, with 32 percent of firms reporting that they are not using social media.  According to the survey, firms’ use of social media is mostly on a very limited “business card” basis.
• Individual Clients: The majority of survey respondents provide advisory services to individual clients and most (59 percent) meet with their clients at least yearly; about one-third are meeting on a quarterly basis.  With respect to dealing with issues relating to aging clients, such as diminished capacity, 45 percent of firms have documentation regarding beneficiaries and contingent beneficiaries; 35 percent conduct employee training, have specific policies and procedures, and require authorized persons to notify them of changing circumstances.
• Cryptocurrency: Despite the SEC’s recent focus on issues relating to cryptocurrency, virtually all survey respondents reported that their firms do not trade in cryptocurrency.  A majority of survey respondents reported that their codes of ethics relating to employee trading do not contemplate cryptocurrencies; only 10 percent require pre-clearance for initial coin offerings.
• Cybersecurity:  83 percent of firms reported conducting cybersecurity assessments, including software patches (76 percent), network penetration tests (73 percent), and vulnerability assessments (72 percent). Nearly two-thirds of respondents increased the type, scope, and/or frequency of compliance testing in the area of cybersecurity.  A common response to how firms have enhanced their cybersecurity program is that they now conduct phishing tests of employees. 
• Form ADV Amendments:  When asked about the most onerous part of preparing the new Form ADV, disclosures relating to separately managed accounts (SMAs) came in first – specifically, increased SMA reporting of derivatives and borrowing (37 percent), determining the classification of investment types held in SMAs (21 percent), determining what is an SMA for purposes of Form ADV (13 percent), and disclosures relating to SMA custodians (7 percent). 
• Pay-to-Play:  80 percent of firms responding have adopted pay-to-play policies and 79 percent did not make changes to these policies during 2017.

A summary report and full results of the 2018 Investment Management Compliance Testing Survey are available on both the IAA website and the ACA Compliance Group website.

About the Investment Adviser Association

The Investment Adviser Association (IAA) is the leading trade association representing the interests of SEC-registered investment adviser firms. The IAA’s more than 640 member firms collectively manage approximately $20 trillion in assets for a wide variety of institutional and individual investors. In addition to serving as the voice of the advisory profession on Capitol Hill and before the SEC, DOL, CFTC and other U.S. and international regulators, the IAA provides extensive compliance and educational services to its membership. For more information, visit www.investmentadviser.org or follow us on LinkedIn, Twitter and YouTube.

About ACA Compliance Group

ACA Compliance Group ("ACA") is a leading global provider of regulatory compliance products and solutions, cybersecurity and technology risk assessments, performance services, and technology solutions to the financial services industry. Founded in 2002 by former SEC examiners and state regulators, ACA develops and provides its products through a world-wide team of former SEC, FINRA, FSA, NYSE, NFA, and state regulators, as well as former senior in-house compliance professionals and technologists from prominent financial institutions. ACA serves a diverse base of leading investment advisers, private fund managers, commodity trading advisors, investment companies, and broker-dealers. ACA’s products include standard and customized compliance packages, cybersecurity and technology risk assessments, GIPS^® verifications and other performance services, and a wide variety of technology solutions for financial services firms.