2019 Investment Management Compliance Testing Survey: Cybersecurity Still Top Concern
July 9, 2019
|For the IAA:
|For ACA Compliance Group:
Washington, DC (July 9, 2019) – For the sixth year in a row, cybersecurity remains the biggest compliance concern at registered investment adviser firms – with 83 percent of survey respondents identifying cybersecurity as the “hottest” compliance topic and 70 percent indicating that their firms increased compliance testing in this area over the past year.
Compliance professionals at 369 investment adviser firms participated in the 2019 Investment Management Compliance Testing Survey, conducted jointly by the Investment Adviser Association and ACA Compliance Group. Firms of all sizes responded, with 28 percent of respondents managing less than $1 billion, 46 percent managing $1 billion to $10 billion, and 25 percent managing more than $10 billion. Almost two-thirds (64 percent) reported having 50 or fewer employees, which is consistent with industry data showing that the vast majority of investment advisers are small businesses. This year’s survey also revealed that the majority of CCOs (66 percent) continue to wear more than one hat (with 18 percent also serving in some legal capacity).
“Now in its 14th year, our survey continues to be a valuable resource for compliance professionals to benchmark their practices against others in the industry,” said IAA President & CEO Karen Barr. “Among the many key takeaways of this year’s survey – beyond the continued importance of cybersecurity – is that firms continue to strengthen their compliance programs.”
“This survey continues to demonstrate the ongoing maturity of the compliance programs among advisers under the SEC regime. It highlights that with the use of technology and smart testing, advisers can successfully tackle today’s risks,” noted Enrique Alvarez, Senior Principal Consultant, ACA Compliance Group.
Compliance professionals ranked issues relating to advertising and marketing as the second hottest compliance topic (28 percent) after cybersecurity – not surprising, given the SEC’s recent focus in this area including potential amendments to the Advertising Rule. Other areas of concern identified by respondents were issues relating to data privacy, with 23 percent of survey respondents identifying it as the third hottest topic.
The 2019 survey, conducted online throughout May, covered a wide range of topics. Other notable findings include:
- Advertising/Social Media: The most common controls relating to advertising are requiring formal pre-approvals by CCOs (71 percent) and ensuring that materials are logged and tracked as they are prepared (64 percent). The vast majority of firms reported having related written policies and procedures (93 percent) and common testing of marketing activities include reviewing the firm website (76 percent) and conducting focused reviews of newly created documents (65 percent). The use of social media is on the rise, but firms’ use of social media is still mostly on a very limited “business card” basis, consistent with last year’s results.
- Custody: In response to the SEC staff’s February 2017 custody guidance, 26 percent of survey respondents reported adopting additional controls and processes to comply with the requirements of the custody rule. However, a majority of respondents (57 percent) said that their firms did not have to change disclosures as a result of the guidance. In response to the SEC staff’s position on trading practices that are not processed or settled on a delivery versus payment (Non-DVP) basis, firms reported their top controls to be: maintaining a list of authorized persons who can instruct the movement of client assets (24 percent), separation of personnel responsibilities (23 percent), keeping custodians informed of updates to the list of authorized persons (22 percent), and periodically reconciling transfer activity (17 percent).
- Best Execution: The vast majority of survey respondents (88 percent) evaluate best execution with respect to the following types of transactions: equities (88 percent), fixed income (51 percent), derivatives (19 percent), foreign currency transactions (15 percent), and mutual fund share class selection (18 percent). While 63 percent of survey respondents indicated that they do not recommend mutual funds, the top control for those that do is a periodic review to asses whether a lower-cost share class has become available (18 percent). According to most survey respondents (74 percent), engaging a third-party firm to review the best execution process was deemed to be least effective means of testing.
- Code of Ethics: According to survey respondents, the most common features relating to a code of ethics program include: having someone other than the CCO review trading activity of the CCO (77 percent), employees/access persons certifying that the firm received all trading information on a quarterly basis (68 percent), and using electronic data feeds (57 percent).
- Gifts and Entertainment: 85 percent of survey respondents include gifts and entertainment provisions in the code of ethics; the most common reporting thresholds are $250 and $100.
- Data Privacy: Asked about which data privacy regulations firms have had to adopt written policies and procedures for, 86 percent reported Regulation S-P and 68 percent reported the Identity Theft Red Flags Rule. By contrast, only 30 percent reported being subject to the EU’s General Data Protection Regulation and only four percent indicated being subject to another jurisdiction, including the California Consumer Privacy Act.
- Solicitations/Referrals: Only 28 percent of survey respondents reported relying on third-party solicitors. The primary test for compliance with the cash solicitation rule reported by survey respondents is confirming that a signed written agreement is in place with each party receiving fees (46 percent). With respect to controls, 46 percent reported checking agreements to ensure they include all the required provisions and 42 percent review related disclosures.
- Lobbying: Nearly half of survey respondents indicated that they do not manage or look to manage state/local money. In fact, 30 percent of survey respondents restrict activities to avoid lobbying registration requirements.
- Fees and expenses: The top three areas for testing fee arrangements include whether clients are billed in accordance with their agreements (87 percent), the description of fee arrangements in Form ADV is accurate (70 percent), and the amount of AUM on which the advisory fee is billed is accurate (68 percent). With respect to expenses, the top three tests are making sure expenses are explicitly disclosed (52 percent) and are in line with their agreements (52 percent) or offering documents (43 percent).
- Impact of MiFID II on Research: Less than eight percent of respondents indicated that they were impacted by the new MiFID II requirements that firms unbundle research. When asked whether MiFID II has had any impact on the global marketplace for research, including in the United States, over 90 percent of survey respondents reported no change to date in either the price, quality, or availability of research.
- Whistleblowing: Only 18 percent of survey respondents utilize a whistleblowing hotline.
- Cybersecurity: A high percentage of survey respondents reported doing penetration testing (80 percent vs. 73 percent last year) and phishing testing (75 percent vs. 66 percent last year). A majority reported having cyber insurance.
About the Investment Adviser Association
The Investment Adviser Association (IAA) is the leading trade association representing the interests of SEC-registered investment adviser firms. The IAA’s member firms collectively manage assets in excess of $25 trillion for a wide variety of institutional and individual investors. For more information, visit exchange.investmentadviser.org or follow us on Twitter, LinkedIn and YouTube.
About ACA Compliance
ACA Compliance Group (“ACA”) is a leading provider of governance, risk, and compliance advisory services and technology solutions. We partner with our clients to help them mitigate the regulatory, operational, and reputational risks associated with their business functions. Our clients include leading investment advisers, private fund managers, commodity trading advisors, investment companies, broker-dealers, and domestic and international banks. ACA is based in New York City and has offices in London, Hong Kong, Malta, and other U.S. cities.