Investment firms adopting the latest SEC regulations are confronting the most substantial changes since the 2008 financial crisis, leaving firms wondering where to focus their time and resources to ensure compliance.
To help navigate this regulatory jungle, SS&C Advent recently hosted a Compliance 101: Hear from Industry Leaders webinar, with the Investment Adviser Association and ACA Group. The conversation covered several investment industry regulations, including:
- Off-Channel Communications
- Cybersecurity
- Marketing
Here are the top takeaways and what they mean for investment management firms.
Off-Channel Communications
The SEC and CFTC are coming down hard on firms that have failed in some fundamental record-keeping requirements as it pertains to off-channel communications. Recently, regulators uncovered the widespread use of personal devices and non-official channels to discuss business and a complete failure by a few financial firms to maintain or preserve those off-channel communications. A 2024 Investment Management Compliance Testing Survey conducted by the ACA Group, Investment Adviser Association, and Yuter Compliance Consulting, found that regarding off-channel communications:
- 42% of firms are only allowing business email and telephone as approved communication methods; only 23% of firms permit the use of texting for business purposes
- 91% of firms are updating their policies and procedures to accommodate the increased regulatory scrutiny and what could be hefty fines
- 86% of firms are training employees on approved communication compliance actions and retention policies
Cybersecurity
New requirements finalized in May this year for protecting client data, called Reg S-P, require broker-dealers, RIAs, investment companies, and transfer agents to have a program to detect, respond, and recover from incidents that exposed sensitive customer data to unauthorized use or access. Firms must notify all impacted customers of these incidents as soon as possible, but certainly within 30 days of detection.
Nowadays, most firms have plans to protect personally identifiable information or P-I-I. Yet, only some firms test those plans or have significant policies to ensure sensitive customer data is appropriately stored and deleted. The most important takeaway regarding Reg S-P is ensuring that service providers of covered firms can guarantee protection against the unauthorized use and access of customer data and notify the firm within 72 hours if an incident occurs.
Marketing
Industry coverage has discussed the marketing rule over the last several years. Though, recently, the SEC charged 16 firms for the use of hypothetical performance on their websites. Additionally, the SEC announced they fined two RIAs for “AI Washing” - falsely claiming to use AI in their investment processes, misleading their investors, and misrepresenting their capabilities. With the increasing hype and realities around AI, it’s not surprising that this has become a focal point in regulatory enforcement.
Adapting to compliance
If there can only be one message regarding compliance and regulatory updates – it is that the industry is changing rapidly. For some firms, it might just mean tending the garden a bit; however, for others, it might mean fundamental changes in communicating with clients and prospects and subsequently protecting their data. To gain insights into how these regulatory changes impact your business operations and strategies, be sure to watch the webinar, Compliance 101: Hear from Industry Leaders.
Contact us to learn about our continued commitment to helping clients manage risk and meet compliance obligations.