By Yuri Bredle
Managing compliance remotely comes with its own set of challenges; but as with any new task or discipline, it gets easier the more you do it.
In our interactions with compliance officers, we’ve picked up on some key questions being asked, such as:
Will operations, policies and procedures at RIAs change as a result of working remotely? (Yes, absolutely.)
Are SEC examinations happening at a higher frequency? (It would appear so.)
Are there best practices for managing compliance remotely with the same thoroughness as in the office? (Yes, indeed.)
Our Chief Strategy Officer, Dina Tantra, held a webinar on managing compliance remotely to get perspectives from three industry experts – Jody Foster of Symphony Consulting, Nicole Kalajian of Stradley Ronon and Melanie Mendoza, CCO at Matarin Capital.
This article is a read out on the advice that was shared on how to manage SEC compliance remotely.
There’s a new normal for operations.
With working from home becoming a de facto standard operating model for more firms, new compliance challenges have arisen, thus prompting changes in how firms operate. These changes are fast-paced, and there is a need to update compliance just as fast.
Some changes are happening at the most basic operating level but they’re vitally important because you want to ensure there’s no interruption in client service. For example, you need to make sure client checks and all other physical mail is received and processed in a timely manner.
Identify who the appropriate person will be to process client checks. Is that person coming into the physical office, and, if so, how often? Will mail be forwarded to a principal, or someone other than a principal?
You can also transition clients away from paper where possible. Discuss with clients your platform for reviewing digital agreements and make sure electronic delivery is acceptable.
The issue of safeguarding Personally Identifiable Information (PII) crops up when printing documents at home. Like salt and pepper or a horse and carriage, consider providing a shredder wherever you have a printer.
Take a hard look at your cybersecurity measures.
Keeping tight cybersecurity, always a priority, takes on additional importance with remote work since criminals will try to take advantage of new security lapses.
In fact, the OCIE recently issued a risk alert on the increase in credential stuffing, a cyberattack method that uses automated scripts to attempt to log into customer accounts with stolen personal information. Internet-facing websites, including those hosted by third party vendors (think videoconferencing services, file sharing platforms, etc.), face an increased risk of this type of attack.
In light of today’s heightened risk environment, here are some steps to ensure strong cybersecurity:
- Use secure platforms for video conferencing and document sharing with clients.
- Conduct additional reviews of personnel access rights as individuals take on new or expanded roles.
- Ensure that remote access servers are secured effectively and kept fully patched.
- Implement multifactor authentication.
- Don’t forget to consider third parties, who may be operating remotely when accessing your firm’s systems.
Incorporate remote working into your policies and procedures.
It’s important to update policies and procedures to account for the operating realities of working remotely.
Even if remote work is never going to be your permanent operating model, there are other situations that may require a firm to temporarily operate on a fully remote basis. And some beneficial aspects of remote work may even become part of a new status quo for some firms.
For these reasons, it’s advisable to include certain remote work standards in your policies and procedures, such as:
- Modifying normal check processing practices during temporary office shutdowns
- Disclosing to investors that checks or assets mailed to the firm’s office location may experience delays in processing until personnel are able to access the mail or deliveries at that office location.
- Modifying practices to address supervisors not having the same level of oversight and interaction with staff when they are working remotely
- Revising policies and procedures to reflect new remote work reality
- Supervised persons may have new or expanded roles
- Modifying or enhancing security and support for remote sites
- Securing servers and systems
- Integrity of vacated facilities
- Support for personnel operating from remote sites
- Protecting remote location data
Protection of Sensitive Information
- Remote access to networks
- Use of web-based applications (e.g. Zoom)
- Increased use of personally-owned devices
- Printing at remote locations
- Absence of personnel at Firms’ offices
- Providing personnel with additional training related to:
- Phishing and other targeted cyberattacks
- Sharing information while using certain remote systems (e.g. Zoom)
- Encrypting documents
- Password-protected systems
- Destroying physical records at remote locations
How to handle remote examinations.
Are exams really becoming more frequent? More prevalent?
When we surveyed the RIAs who joined our webinar, about 16% said they are going through exams. Panelist Jody Foster shared with us that three-fourths of her clients have had exams. That’s just an indication of the breadth of where the SEC is going.
“It’s quite unusual. In the last eight months, six of my eight clients have had exams.”
Not surprisingly, SEC exams right now focus a lot on how firms are handling remote work.
Since they’re conducted over a phone call, there is no longer the ability to read body language when explaining strategy. Over the phone requires a bit more explanation and more patience.
If you get flagged with a deficiency letter, take things one step at a time. Engage in the phone calls. Go through the information. And, while it may cycle a few times—or even more than a few—the process is still fairly straightforward and orderly.
One strategy for being prepared for an examination is to conduct a self-exam ahead of time. Test how disciplined your teams are about storing documents such as proof of death, power of attorney, etc.
While it can be difficult to remember to keep these documents in the file, having everything on hand where it belongs as a matter of habit will make the SEC exam go much more smoothly.
Also, socialize your system. Make sure every member of your staff, working from his or her individual home, knows that this is where you store that particular document.
Remote compliance best practices – know the key areas to focus on.
There are best practices for managing compliance remotely with the same thoroughness as in the office. Watch for inconsistencies that materialize during the transition from working together in one location to a remote arrangement across multiple locations.
A great starting point is to review the risk alert issued by the OCIE. When they identified six major categories to be on alert for deficiencies, they essentially gave us a best practices outline to follow.
Pay strict attention to your compliance in these major categories:
- Protection of investors’ assets
- Supervision of personnel
- Practices relating to fees, expenses and financial transactions
- Investment fraud
- Business continuity
- The protection of investor and other sensitive information
For more on this, we covered the details here when this alert first came out.
Rolling with the changes.
Managing compliance remotely is a discipline, much like Pilates or yoga. What may feel different or awkward at first can soon become second nature; and the flexibility it affords may offer certain advantages, depending on how you look at it.
You CAN (and really must!) put systems in place to make compliance run like clockwork— even remotely.
Your clients will be confident in you. You’ll be confident in passing any SEC exam.
And, whether at the office or at the home office, you’re taking care to consistently act in the fiduciary role you were hired for.