Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Cynthia Doe and Daniel New, Ernst & Young
Cynthia Doe and Daniel New, Ernst & Young

For RIAs, Successful Dodd-Frank Compliance Must Start Now

With new Dodd-Frank Act rules looming, registered investment advisers must make certain that their IT supports new regulatory compliance requirements, according to Ernst & Young’s Cynthia Doe and Daniel New.

As registered investment advisers (RIAs) prepare to meet the demands of the Dodd-Frank Act, some are finding that their IT groups are not ready to support new compliance processes and requirements. Passed in July 2010, Dodd-Frank will require an expanded class of companies to register with the SEC. After registering, these new RIAs (along with existing RIAs) will be required to implement written compliance policies and procedures and to perform annual compliance assessments, and will be subject to SEC examination, among other changes.

To be successful, RIAs' compliance strategies must be supported by robust processes and technologies. But because some companies fail to bring IT into the compliance planning process from the beginning, they find themselves stuck with processes that IT cannot support. Others have not performed adequate assessments of their IT capabilities to identify and remediate shortcomings.

Current and future RIAs should work with IT to create and/or enhance policies and upgrade procedures and systems to support Dodd-Frank compliance initiatives. The areas of focus needed to build a successful compliance strategy include records management, email retention, oversight of third-party service providers and business continuity, among others.

Compliance with the new requirements mandates not only careful planning, training and implementation, but also a capabilities assessment of the IT systems that make compliance possible. With such an assessment, IT can identify gaps between the technology's capacity and existing processes and the demands of new compliance requirements, and make improvements as needed.

The real key to success, however, is making IT a full partner -- from the beginning -- in crafting a compliance strategy. With adequate time and a full understanding of the technological needs of each stakeholder, IT can be a change enabler and catalyst. However, if planners treat technology considerations as an afterthought -- as many do -- compliance initiatives will inevitably face challenges that could leave you unable to stand up to the rigors of an SEC examination and expanded reporting requirements.

6 Steps to Improving SEC Compliance for RIAs

An effective technology plan for registration as an RIA should begin with a baseline current-state assessment of IT policies, procedures, risks and control activities. The goal of this assessment is to identify and document necessary improvements in the key compliance technologies and related processes that comprise your RIA compliance program. When reviewing IT's current capabilities and capacity, focus on:

1. Electronic Records Management. Successful compliance requires a sophisticated ability to archive, maintain, report on and recall relevant operational data. Of all the IT focus areas, records management will likely be the most complex and challenging. It entails capturing written and electronic records, historical data, data acquired through acquisitions, and multiple copies of the same files that reside in siloed locations throughout the company.

From the outset, compliance, operations and other stakeholders must work with IT to determine which systems contain the official records. Beyond categorizing data, IT must also correlate it to software/application systems, associated servers and databases, network drives and other data repositories and create a current archival inventory. During this process, IT can identify gaps where archival tools and processes are missing or insufficient.

2. Protection of Investor Data. Working with stakeholders companywide, IT should review its data-protection and security and privacy policies to identify gaps between existing security policies and SEC requirements. With this information, IT can create a risk-based remediation plan to address these gaps through technology enhancements and procedural adjustments, such as expanding entitlement reviews to cover additional systems and privileges. It is vital that IT keep all data-protection tools, practices, policies and procedures current on an ongoing basis, and deploy these enhanced security measures in new systems and processes.

3. Email and IM Retention. RIAs must be able to archive all email and instant message communications. Companies that do not have archival tools or third-party service providers in place should look to acquire these tools or contract with a third-party service provider that can meet compliance's needs. These tools should work seamlessly with existing security and archival systems and provide monitoring of load status, data purges, and changes to key-logging and retention settings.

4. Business Continuity. Companies typically create business continuity plans for moments of crisis, and IT is usually the steward. As the organization changes systems and procedures to support SEC compliance, it must update its business continuity plans to ensure that these changes are addressed.

A robust business continuity plan begins with the execution of a business impact analysis (BIA), updated periodically when changes to the business occur. The results of the BIA can be used to drive the development of the plan and to identify gaps in existing plans. IT then can work with the business to prioritize remediation efforts, assign ownership and track progress.

5. General IT Controls. IT should make certain that it has formal and evidenced control processes in place for change management, logical and physical security administration, job/process scheduling, operations management, and backup and recovery. Working closely with members of the compliance team, IT must also create mechanisms -- such as internal audits or risk and control self-assessments -- to periodically evaluate the design and operation of these controls in order to identify and close regulatory gaps.

6. Oversight of Third-Party Service Providers. IT general controls, security, business continuity planning and records management assessments must include an examination of third-party service providers currently working with the company. Compliance officers and IT can approach this assessment by classifying and ranking by level of risk all outside services the firm utilizes. In conducting the IT controls assessment, the services provided by the vendor should dictate where you focus your evaluation efforts (e.g., governance, personnel controls, logical security, physical security). After a thorough assessment of third-party service providers is completed, the results can be analyzed and integrated with the company's broader vendor-assessment effort.

IT Inclusion Is Key to Compliance Success

Four to six weeks is the expected timeline for baseline IT diagnostic completion -- for companies that have included IT in compliance readiness discussions from the beginning (and committed the appropriate resources). After completing these assessments, companies that have the basic IT structures in place needed to support Dodd-Frank compliance initiatives may be able to get by with relatively simple reconfigurations and adjustments. They can hold training and awareness sessions to introduce upgraded processes and address individual compliance issues as they arise.

However, companies that keep IT in the dark during the planning process face more formidable challenges. Without adequate time to create baseline assessments of systems capacities, IT will be forced to prioritize remediation efforts, leaving some components of the compliance plan incomplete. A company that must develop or acquire new systems to support compliance will need months or even a year to implement them, depending on the resources it can put behind the effort.

Finally, there are large companies with longstanding RIA credentials that may mistakenly feel that they already have their compliance house in order. They should remember that Congress is still writing some rules for major components of Dodd-Frank, and reporting requirements remain fluid. Even established RIAs should assess their compliance practices and perform IT diagnostics.

Ultimately, regulators want to see if RIAs possess the right governance model and the right practices to run the business and protect investors. RIAs should be able to demonstrate that they have plans to fix any processes and systems that are not compliant and be able to show their progress against their plans.

Next Page: 9 questions your IT group should be asking to prepare for new compliance requirements

1 of 2
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters
Stressed Out by Compliance, Reputational Damage & Fines?
Stressed Out by Compliance, Reputational Damage & Fines?
Financial services executives are living in a "regulatory pressure cooker." Here's how executives are preparing for the new compliance requirements.