Compliance Testing Survey Results: Cybersecurity Continues to be Top Compliance Concern

July 19, 2017

New Compliance Testing Survey Also Finds Use of Automation on the Rise

Washington, D.C. (July 18, 2017) – Cybersecurity continues to be the biggest concern among compliance professionals at registered investment adviser firms – with 86% of respondents in a new survey identifying “cybersecurity/privacy/identity theft” as the “hottest” compliance topic for the fourth year in a row.  Moreover, 76% indicated that their firms increased compliance testing in this area over the past year
 
Compliance professionals at 599 investment adviser firms participated in the 2017 Investment Management Compliance Testing Survey, conducted jointly by the IAA, ACA Compliance Group, and OMAM, a global multi-boutique asset management company.

The 2017 survey was conducted online in April and May. Full survey results are publicly available here on the IAA website and on the ACA Compliance Group website.
 
Compliance professionals ranked issues relating to the SEC’s Custody Rule as the second hottest compliance topic (26%) after cybersecurity – not surprising, given the latest concerns raised by recent SEC staff guidance in this area.  Other areas of concern identified by respondents were regulatory reporting (e.g., Form ADV) with 21% (up sharply from 4% last year), and disaster recovery planning with 20% (up from 8% last year).  

The 2017 survey covered a wide range of topics with the following additional notable findings: 

  • Costs of regulatory compliance —  According to the survey, the top four compliance costs of investment advisers are internal personnel (80%); third-party compliance consultants (33%); technology (32%); and outside legal counsel (27%).  The largest percentage of firms (26%) spend between $100,001 and $250,000 on compliance.   
  • Compliance program — Over 70% of firms have not detected compliance issues that they deemed to be “material” through their testing program – with advertising, books and records and custody being most the commonly found material compliance matters.  A majority of survey respondents perform internal regulatory research and rely on industry groups for guidance on compliance.
  • Use of automation — 57% of respondents indicated that their use of automated compliance systems increased in 2016, while less than 1% reported a decrease.  56% of respondents expect to further increase their use of automation in 2017.
  • Fees and expenses — 83% of respondents reported testing to ensure clients are billed advisory fees in accordance with their contracts.  100% of respondents disclosed the expenses their firms charge to clients in either private placement memoranda for private funds or investment management agreements. 
  • Wrap programs — While they are a current area of focus by the SEC, a substantial majority of advisory firms responding to the survey do not participate in wrap programs (78%).  Of the ones that do, 17% participate as a portfolio manager and only 2% as the sponsor.  47% of respondents said their firms trade away to achieve best execution for their clients.  
  • Whistleblowing rules — 40% of respondents indicated changing their compliance programs in response to the SEC’s Whistleblower Risk Alert.
  • BCP/TP —  81% of firms have stand-alone business continuity plans, while only 13% address transition planning on a stand-alone basis.  Firms reported testing in the areas of ability to recover data (84%), access to back-up records (79%), and communications (71%). 
  • Branch offices — 40% of respondents reported providing advisory services from multiple locations and 83% indicated that their firm-wide policies and procedures address remote locations.  73% said they conduct scheduled on-site visits at their branch offices. Branch offices are a current examination focus of the SEC’s.
  • Form ADV amendments  — When asked how prepared firms are for the new Form ADV reporting amendments, 35% indicated that they are progressing with their implementation efforts and expect to be ready by the compliance deadline.  30% reported being in the early stages of their implementation efforts. 
  • Liquidity risk management programs —  Of the respondents that reported being a sub-adviser to a mutual fund, 40% indicated they employ a highly liquid strategy so anticipate minimal impact from new requirements that funds establish liquidity risk management programs.  Of those firms that will be impacted to some degree, a majority indicated that their firms are progressing with implementation efforts.
  • International — Of the 37% of respondents that operate outside of the U.S., England (59%), Hong Kong (32%), Singapore (25%) and Canada (22%) are the most likely places.  Regarding MiFID II, 58% of firms affected by the EU legislation regulating investment services are unsure how they will pay for research when the new rules are effective in early January 2018.
  • Cybersecurity — Firms continue to devote resources to cybersecurity, with 44% of firms having purchased cybersecurity insurance (20% purchasing total coverage of between $1 and $3 mm).  86% of firms responding to the survey conduct cyber risk assessments and 72% also conduct network penetration tests.
  • Oversight of third parties — The top three third-party service providers being used by firms are e-mail archival vendors, attorneys, and independent qualified custodians.  The use of periodic questionnaires to oversee third parties (36%) increased the most in 2017 (from 28% in 2016).
  • Soft dollars — 41% of respondents said that their firms do not engage full-service broker-dealers and do not receive proprietary research.  81% of respondents indicated that they do not anticipate changes to their soft dollar programs in light of the new MiFID II requirements that firms unbundle research. 
  • Pay-to-play — 78% of firms responding have adopted pay-to-play policies and 67% did not make changes to these policies during the 2016 election year.

Firms of all sizes responded, with 39% of respondents managing less than $1 billion, 39% managing $1 billion to $10 billion, and 22% managing more than $10 billion. More than two-thirds (68%) of responding firms reported having 50 or fewer employees, which is consistent with industry data showing that the vast majority of investment advisers are small businesses. This year’s survey also revealed that the vast majority of CCOs (71%) continue to wear more than one hat (with 17% also serving in some legal capacity).
 
“Now in its 12th year, our survey continues to be the most comprehensive resource available to compliance professionals for identifying compliance trends and practical testing strategies as well as benchmarking their practices against other firms in the industry,” said IAA President & CEO Karen Barr.
 
“We have a lot of really valuable trend information regarding the most common areas of concern that we discuss with the participants,” said Lynne M. Carreiro, Managing Director at ACA Compliance Group.  “The participants represent a wide variety of firms, from traditional wealth managers to more alternative real asset managers, which gives us a good cross section of how the industry views and approaches the various areas of regulations.  CCOs are getting new ideas for testing or monitoring their firm’s compliance, as well as seeing what areas peers are struggling with.  It can be a great affirmation of your position, or a harsh reality check.”
 
“Once again the survey has been well received by the industry – bringing together a high number of industry peers. SEC staff has communicated over time the importance of evaluating industry best practices and respondents have recognized the survey as an excellent tool for gauging the adequacy and appropriateness of their compliance programs,” said Amy Yuter, OMAM Deputy Chief Compliance Officer.
 

About the Survey Organizers
 

ACA Compliance Group
ACA Compliance Group ("ACA") is a leading global provider of regulatory compliance products and solutions, cybersecurity and technology risk assessments, performance services, and technology solutions to the financial services industry. Founded in 2002 by former SEC examiners and a state regulator, ACA develops and provides its products through a world-wide team of former SEC, FINRA, FCA, NYSE, NFA, and state regulators, as well as former senior in-house compliance professionals and technologists from prominent financial institutions. ACA serves a diverse base of leading investment advisers, private fund managers, commodity trading advisors, investment companies, and broker-dealers. ACA’s products include standard and customized compliance packages, cybersecurity and technology risk assessments, GIPS® verifications and other performance services, anti-money laundering advisory, and a wide variety of technology solutions for financial services firms. For more information, please visit www.acacompliancegroup.com.
 
Investment Adviser Association
The Investment Adviser Association (IAA) is the leading trade association representing the interests of SEC-registered investment adviser firms. The IAA’s more than 600 member firms collectively manage assets in excess of $20 trillion for a wide variety of institutional and individual investors. For more information, visit www.investmentadviser.org or follow us on TwitterLinkedIn, and YouTube.
 
OMAM
OMAM (NYSE: OMAM) is a global, multi-boutique asset management company with approximately $249.7 billion of assets under management as of March 31, 2017. Its diverse Affiliates offer leading, alpha generating investment products to investors around the world. OMAM’s partnership approach, which includes equity ownership at the Affiliate level and a profit sharing relationship between OMAM and its Affiliates, aligns the interests of the Company and its Affiliates to work collaboratively in accelerating their growth. OMAM’s business model combines the investment talent, entrepreneurialism, focus and creativity of leading asset management boutiques with the resources and capabilities of a larger firm.