As registered investment advisers (RIAs) prepare to meet the demands of the Dodd-Frank Act, some are finding that their IT groups are not ready to support new compliance processes and requirements. Passed in July 2010, Dodd-Frank will require an expanded class of companies to register with the SEC. After registering, these new RIAs (along with existing RIAs) will be required to implement written compliance policies and procedures and to perform annual compliance assessments, and will be subject to SEC examination, among other changes.
To be successful, RIAs' compliance strategies must be supported by robust processes and technologies. But because some companies fail to bring IT into the compliance planning process from the beginning, they find themselves stuck with processes that IT cannot support. Others have not performed adequate assessments of their IT capabilities to identify and remediate shortcomings.
Current and future RIAs should work with IT to create and/or enhance policies and upgrade procedures and systems to support Dodd-Frank compliance initiatives. The areas of focus needed to build a successful compliance strategy include records management, email retention, oversight of third-party service providers and business continuity, among others.
Compliance with the new requirements mandates not only careful planning, training and implementation, but also a capabilities assessment of the IT systems that make compliance possible. With such an assessment, IT can identify gaps between the technology's capacity and existing processes and the demands of new compliance requirements, and make improvements as needed.
The real key to success, however, is making IT a full partner -- from the beginning -- in crafting a compliance strategy. With adequate time and a full understanding of the technological needs of each stakeholder, IT can be a change enabler and catalyst. However, if planners treat technology considerations as an afterthought -- as many do -- compliance initiatives will inevitably face challenges that could leave you unable to stand up to the rigors of an SEC examination and expanded reporting requirements.
6 Steps to Improving SEC Compliance for RIAs
An effective technology plan for registration as an RIA should begin with a baseline current-state assessment of IT policies, procedures, risks and control activities. The goal of this assessment is to identify and document necessary improvements in the key compliance technologies and related processes that comprise your RIA compliance program. When reviewing IT's current capabilities and capacity, focus on:
1. Electronic Records Management. Successful compliance requires a sophisticated ability to archive, maintain, report on and recall relevant operational data. Of all the IT focus areas, records management will likely be the most complex and challenging. It entails capturing written and electronic records, historical data, data acquired through acquisitions, and multiple copies of the same files that reside in siloed locations throughout the company.
From the outset, compliance, operations and other stakeholders must work with IT to determine which systems contain the official records. Beyond categorizing data, IT must also correlate it to software/application systems, associated servers and databases, network drives and other data repositories and create a current archival inventory. During this process, IT can identify gaps where archival tools and processes are missing or insufficient.
2. Protection of Investor Data. Working with stakeholders companywide, IT should review its data-protection and security and privacy policies to identify gaps between existing security policies and SEC requirements. With this information, IT can create a risk-based remediation plan to address these gaps through technology enhancements and procedural adjustments, such as expanding entitlement reviews to cover additional systems and privileges. It is vital that IT keep all data-protection tools, practices, policies and procedures current on an ongoing basis, and deploy these enhanced security measures in new systems and processes.
3. Email and IM Retention. RIAs must be able to archive all email and instant message communications. Companies that do not have archival tools or third-party service providers in place should look to acquire these tools or contract with a third-party service provider that can meet compliance's needs. These tools should work seamlessly with existing security and archival systems and provide monitoring of load status, data purges, and changes to key-logging and retention settings.
4. Business Continuity. Companies typically create business continuity plans for moments of crisis, and IT is usually the steward. As the organization changes systems and procedures to support SEC compliance, it must update its business continuity plans to ensure that these changes are addressed.
A robust business continuity plan begins with the execution of a business impact analysis (BIA), updated periodically when changes to the business occur. The results of the BIA can be used to drive the development of the plan and to identify gaps in existing plans. IT then can work with the business to prioritize remediation efforts, assign ownership and track progress.
5. General IT Controls. IT should make certain that it has formal and evidenced control processes in place for change management, logical and physical security administration, job/process scheduling, operations management, and backup and recovery. Working closely with members of the compliance team, IT must also create mechanisms -- such as internal audits or risk and control self-assessments -- to periodically evaluate the design and operation of these controls in order to identify and close regulatory gaps.
6. Oversight of Third-Party Service Providers. IT general controls, security, business continuity planning and records management assessments must include an examination of third-party service providers currently working with the company. Compliance officers and IT can approach this assessment by classifying and ranking by level of risk all outside services the firm utilizes. In conducting the IT controls assessment, the services provided by the vendor should dictate where you focus your evaluation efforts (e.g., governance, personnel controls, logical security, physical security). After a thorough assessment of third-party service providers is completed, the results can be analyzed and integrated with the company's broader vendor-assessment effort.
IT Inclusion Is Key to Compliance Success
Four to six weeks is the expected timeline for baseline IT diagnostic completion -- for companies that have included IT in compliance readiness discussions from the beginning (and committed the appropriate resources). After completing these assessments, companies that have the basic IT structures in place needed to support Dodd-Frank compliance initiatives may be able to get by with relatively simple reconfigurations and adjustments. They can hold training and awareness sessions to introduce upgraded processes and address individual compliance issues as they arise.
However, companies that keep IT in the dark during the planning process face more formidable challenges. Without adequate time to create baseline assessments of systems capacities, IT will be forced to prioritize remediation efforts, leaving some components of the compliance plan incomplete. A company that must develop or acquire new systems to support compliance will need months or even a year to implement them, depending on the resources it can put behind the effort.
Finally, there are large companies with longstanding RIA credentials that may mistakenly feel that they already have their compliance house in order. They should remember that Congress is still writing some rules for major components of Dodd-Frank, and reporting requirements remain fluid. Even established RIAs should assess their compliance practices and perform IT diagnostics.
Ultimately, regulators want to see if RIAs possess the right governance model and the right practices to run the business and protect investors. RIAs should be able to demonstrate that they have plans to fix any processes and systems that are not compliant and be able to show their progress against their plans.