When it comes to compliance on a shoestring, small firms face some big challenges. From a technology standpoint, most compliance systems are expensive and difficult to manage. Unlike large financial services firms that have the money and manpower to support these systems, small firms face the burdens of meager budgets and skeletal IT staffs that often are already overwhelmed managing multiple projects.
Lisa Schmidt, chief compliance officer and vice president of Perkins Capital Management, a Wayzata, Minn.-based investment advisory firm with 16 employees, claims that organizations like hers must overcome some unique obstacles in order to comply with regulatory mandates. "The very first challenge would be costthe cost for hiring additional workers, the cost for the new technology," says Schmidt. "Time, too, is a big issue," she adds.
Looking Beyond Limitations
While most small firms, such as Schmidt's, have at least one function solely dedicated to compliance, the responsibilities associated with meeting both internal and external compliance requirements also must be shared by other employees throughout the organization. According to a recent survey by IBM Business Consulting of more than 200 financial services firms globally, sales and operations personnel who are not formally in compliance roles are spending 20 percent to 30 percent of their time on compliance-related functions. "I think one of the most unique challenges that I have found with small firms is that individuals are multi-hatted," explains Michael McCabe, partner, risk and compliance, IBM Business Consulting. "They're typically in both an operational role as well as a compliance role at their firm, ... and their total budget does not really allow them to do much more than a manual solution."
McCabe adds that despite these constraints, small firms do have options, including finding a trustworthy service provider to take on the compliance burden. "One of the more obvious options for smaller firms is the opportunity to outsource certain business processes so that in a sense you off-load a bulk of the compliance work," he says, citing anti-money laundering and e-mail compliance as two spaces where outsourcing can prove beneficial.
But, according to Perkins' Schmidt, outsourcing has its own disadvantages. "The Securities and Exchange Commission [SEC] is still very unclear about their rules regarding the whole compliance program with regards to outsourcing bits and pieces, and to have to go through any type of issue with the SEC and have things outsourced would make it more difficult," she explains. "With having things in-house, we have more control and we have more knowledge about everything that's going on here."
A Quick Fix
Managing compliance in-house was Schmidt's only option when she began searching for an e-mail archiving solution for her firm in 2003. Now, nearly three years later, Schmidt has completed the latest upgrade to her chosen solution, ComplianceVault by Eagan, Minn.-based Intradyn.
"We have a mutual fund and we have advisory clients, so we not only have to deal with investment advisory compliance, but investment company compliance as well," explains Schmidt. "While I have a couple of assistants who work in our operations area that help a lot with doing the fund information, ... 90 percent of my time is spent on just compliance issues and dealing with the day to day trading. I can afford to give 5 percent to computers, which is why ComplianceVault was so great for us. I can plug it in, then get an e-mail every morning that tells me how many e-mails went through the previous day. If I want, I can do a query and see, for example, how many e-mails were [written] by each individual person," she continues.
"I'm looking for inexpensive, quick solutions that don't need a lot of maintenancefinding that out there is getting harder and harder," Schmidt adds, noting that while she considered a few other vendors (which she declines to name), the cheapest alternative would have cost approximately $30,000. "For a little firm like ours, that would be our entire IT budget for the year," Schmidt says.
Touted by Intradyn as a cost-efficient plug-and-play solution, ComplianceVault essentially is a box that resembles a router. It plugs directly into the user's network and is managed through a browser interface. According to Schmidt, implementing ComplianceVault took approximately one hour.
Quick to stress his product's ease of use, Gary Doan, CEO of Intradyn, also claims that ComplianceVault has a lower total cost of ownership than outsourcing. "While there's not a lot of capital expenditure on the front end, the cost per month per mailbox, additional cost for discovery and the media cost to move data aroundthe cost of outsourcing becomes overwhelming for most small firms. We have no per-user cost," he asserts. "For some firms, outsourcing may be the right solution. But firms are still [responsible] for that data even if someone else has ityou can't outsource responsibility and liability."
Surviving an Audit
Responsibility and liability were on the mind of Tim O'Pry, chief technology officer of Kennesaw, Ga.-based money management and advisory firm The Henssler Financial Group, when his organization underwent an SEC audit at the end of 2005. At the time, Henssler was live on Entegra (now known as Audit DB), a data integrity solution by Acton, Mass.-based Lumigent Technologies. O'Pry credits the solution for enabling Henssler to pass the audit with flying colors.
"We use Entegra to track all additions, modifications and deletions to our primary data," explains O'Pry. "Entegra tracks everything, from every contact we have with the client ... to every transaction we perform on behalf of the client. It's all client-centric."
O'Pry says the solution proved valuable during the SEC audit because he was able to immediately fulfill regulatory requests, such as providing the SEC with communications to and from certain clients between specified dates. Should the SEC ever question whether information has been modified, O'Pry adds, he also can present auditors with an audit log that shows if any information has been changed. "The solution not only allows us to access the information, but it also allows us to be confident that if anything's been changed, we know who changed it and why," he says. "From a regulatory standpoint, we're able to provide a third-party solution that's doing the auditing."
Henssler's relationship with Entegra dates back to 2002, when the firm was searching for a better means to monitor and audit data viewing and database changes. "Traditionally, when you audit a database, you write a lot of code that basically gets what the old value was, what the new value is, who changed it and when, and you log that in," says O'Pry. "That's very time-consuming to write and maintainevery time you make a change to your data, you have to update the code."
O'Pry wanted a solution that would eliminate the need to perform tedious manual processes in-house, but, like Perkins Capital, outsourcing was not an option because Henssler wanted to keep tight reins on who had access to client data. And while O'Pry did consider other solutions, he contends that none could support his firm's "few thousand" clients as effectively as Entegra. "Previous options wereand still arecostly, time-consuming and not nearly as efficient in detail," he says.