Bill Hortz's picture

"This is not an area where it’s better to ask for forgiveness than permission because failure to ask for permission can result in a very public and humiliating enforcement action." - Todd Cipperman

[Given the growing visibility and enforcement actions of regulatory agencies in the US financial services industry, the Institute for Innovation Development recently talked with Todd Cipperman, Managing Principal of Cipperman Compliance Services – an industry leader in providing outsourced regulatory compliance services for registered investment advisors, fund sponsors and broker-dealers. The firm offers its clients the opportunity to fully outsource the CCO role or take on a strategic support role and implementation responsibilities in partnership with the in-house CCO.

Because of his unique perspective and real world vantage point working in the trenches with financial advisors, industry leaders and regulatory agencies, we wanted his take on the regulatory actions and trends he sees that we should be most aware of. We also asked for his suggestions on how to best deal head-on with an environment of increasing regulatory oversight and change.]

Hortz: Please share with us what regulatory trends you are seeing that most concern you.

Cipperman: There are a number of regulatory compliance trends that we expect to impact investment managers for the foreseeable future.  One trend is the SEC’s ever-expanding regulatory and enforcement agenda. Many assumed with the new administration in Washington that regulation was going away but we're not seeing that at all - the number of examinations are way up.

Chairman Clayton has really doubled down on the examination program that Mary Joe White pushed. He has said, very publicly, he wants to double the number of advisor exams so that the SEC will examine up to 20% of advisers very year, up from the 10% under the Mary Joe White regime. He's asked for a lot more resources to do that.

Second, more examinations tend to lead to more enforcement actions, especially those targeting senior executives. Mary Joe White and prior enforcement directors have said they wanted to prosecute individuals because of the significant deterrent effect. Chairman Clayton has supported the prosecution of individuals because senior executives will walk the line when threatened with reputation and career-ending enforcement actions. The fact that an executive could be charged personally has a significant chilling effect.

Third concerning trend is the focus on service providers and their securities markets gate-keeping role. We see cases against administrators, custodians, lawyers, accountants, auditors, consultants, even where such service providers are not directly regulated by, or registered with, the SEC. The courts and the regulators have posited that the service providers should have responsibility for the actions of their clients; that we all have an obligation to make sure the securities markets stay clean. Service providers have responded by conducting more prospect due diligence and raising fees.  It also has the unintended consequence of raising insurance rates.  

The fourth big trend we see is a move to a super-fiduciary standard. I'm not talking about the DOL fiduciary rule. What I'm talking about is how the SEC defines an advisor's fiduciary obligations through enforcement actions. What is considered a conflict of interest? What does it mean to put yourself behind the clients interests at all times? The SEC has been raising the fiduciary bar through enforcement cases. You're seeing cases involving wrap programs, revenue sharing, pay to play, and suitability. In the recent “best interest” release which was just promulgated by the SEC, there was an overlooked companion release about an advisor’s fiduciary obligations which codifies this to a super fiduciary standard.

A fifth trend firms also cannot ignore is technology and cyber security. It’s about protecting your firm and your service providers against a third party hack. There's been cases where a third party cloud provider was hacked but, the advisor was deemed to be liable. That's causing a huge spend in the industry around systems and analysis and people. The SEC has been very clear that cyber security policy and related procedures fall within a compliance officer’s responsibilities. Not necessarily the technology components but things like corporate governance and incident response. Service provider due diligence in this area in particular are things the compliance officer has to focus on.

Hortz: There’s a lot to be concerned about! From the other vantage point of industry compliance leaders and senior managements, what was the most telling or surprising things you learned from your last financial services industry compliance survey you conducted?

Cipperman: I suppose the good news, if you look at the trends, is that firms are more and more acknowledging the vital importance of compliance. They’ve gone from the “necessary evil” category to more firms seeing it as either really important to attract new business, because of operational due diligence requirements, or at least as a way to protect the firm against regulatory risk. The C-suite is getting it.

I think what's more troubling though is that 25% to 50% of our respondents said they're not confident of passing a regulatory exam. They acknowledge the importance of compliance and, more importantly, are spending more money on compliance. Yet their confidence level in their programs is going down. I think that suggests that the current model of compliance is not working.

Most firms still utilize the “hire and hope” model:  hire someone who has extensive regulatory or some compliance experience. Senior management generally has no idea how to assess this technical expert’s job performance. The CCO becomes the only expert in a sea of non-experts.

I think that leads to bad results and lack of confidence in the program. I think the compliance profession, though, is getting professionalized if you will. I think there are firms like mine who offer outsourced services or compliance support. I think what you're starting to see is a change. Years ago with fund administration, everyone did it in-house when they started mutual funds. Now few do it in-house. You have professional third party administrators doing that. I think the compliance business is heading in that same direction.

Hortz: In what areas do you see that independent advisors and RIAs are least prepared and most vulnerable?

Cipperman: We use a term called “compliance voodoo”. What we mean by that is the idea that firms think they have a compliance program but really don't have anywhere near an effective compliance program. You're seeing the SEC bring a lot of these cases where firms have a compliance officer and compliance manual but fail to implement effective procedures and testing to ensure regulatory compliance. 

We’re seeing a lot of cases related to programs that haven't done proper testing or adequate reviews or failures to observe information barriers. There may have been a policy or written procedures, but nobody paid much attention. The SEC's getting wise to this. In the early days of compliance, firms were getting tagged for not having any compliance program. Now they may have a program, but the SEC is evaluating that program - the program’s effectiveness and the way it is carried out.

Hortz: So what compliance priorities should firms be focusing on right now?

Cipperman: First of all you have to right size the program for your firm. How do you determine what the right size is? Our benchmarking would suggest that you should be spending a minimum of 5% of revenue on the compliance function. Some studies report that firms spend around 7% of total operating cost on compliance. As you're thinking about that, I'm not going tell you if you're at 3.5% or if you are at 7% that you're too little or too much. It's just a benchmark.

 The next step is, once you figure out your budget for compliance, you have to figure out how to spend that budget. There are three different ways to do that. You can hire fully in-house, which is still the way most firms do it. Two, you can hire a firm like ours to be an outsourced CCO to run the program. Or you can do a combination of the two. We have seen some data that roughly two-thirds of firms use an outside firm like ours to some extent, even if they have an in-house CCO. Most firms are starting to do some sort of hybrid.

So, you have to  decide what you're going to spend, decide how you're going to spend it, decide who's going to do the work, and then you have to decide where you're going to focus those resources. I think very few firms look at it analytically that way. You may end up, by doing it analytically, spending less and having more effect.

Hortz: From a strategic top-down perspective, those are the priorities. What do you recommend are the 2-3 actions advisors can do right now to best protect their business from regulatory risk?

Cipperman: One is certainly hiring a third party firm to do a mock audit. At least you can get a baseline on what your weaknesses are. Also, if you've ever had an examination, make sure you've fully addressed the issues that the SEC or FINRA have raised. I would also review the Risk Alerts and Examination Priorities issued by the regulators. You also need to hire a dedicated Chief Compliance Officer.  The dual-hat model really doesn’t work, and the SEC sees a dual-hatted C-suite CCO as a regulatory red flag. Whether it's in-house or outsourced, you need someone who's focused full-time on compliance.

Hortz: Are there any innovative new tools that can meaningfully be of help in the compliance area? What is your view of the growing RegTech space in general?

Cipperman: I'll start with the negative and then go to the positive. I think firms sometime think technology is the “be all and end all”. That they can use technology and that's going to be their compliance system. It's not. RegTech provides tools. I think they're best used by the right craftspeople, meaning competent compliance people. You could leverage a really good compliance person if you give that person the right tools.

Some of these tech tools are excellent: social media account reviews, emails, personal trading, best execution modules, portfolio compliance. There's some great stuff out there, but I've come across way too many firms that have bought technology or licensed technology and then fail to implement it. They don't know how best to apply it. I think that's a real gap. This is a big data exercise. You need people that know how to handle big data. Big data requires some big tools, tech tools. Clearly we're going to have continuing technological advances in this space because it's needed. I think it's going to be in conjunction with qualified compliance people that know how to use these tools.

Hortz: What best practices do you see on how firms are building a culture of compliance?

Cipperman:  You need to constantly be asking tough questions and acting on them: Is your compliance program more than a veneer? Is there actual testing going on? Is there constant improvement? Are you identifying weaknesses and fixing those weaknesses? Are you punishing recidivists in your organization that continually violate rules? Are you sensitive to resource demands of your compliance function? Are you doing the best practices like having a product evaluation committee? Do you have a compliance committee where senior executives participate in conversations about compliance?

These are all areas that evidence there is a compliance culture; that you're not just talking compliance but that you're involved in it and you're actually supporting it. Many organizations cannot evidence that.

Hortz: What best advice can you share with advisors on getting a firm handle on ongoing regulatory and compliance issues in the industry?

Cipperman: I think, the best advice I can give, in terms of how you think about compliance, is that when you're a registered investment advisor, you're not operating in a free society. What I mean by that is a free society basically takes the view that you can do whatever you want so long as there's not a rule prohibiting it. That's not how regulated entities work. Regulated entities are just the opposite.

Advisors are working much more in a state society. Let's say it a different way. You can't do anything unless the rules allow it. You have to have that mindset when it comes to compliance. Before you run ahead and do something, make sure you can do it. Just because you don't know you can't do it doesn't mean you can. This is not an area where it’s better to ask for forgiveness than permission because failure to ask for permission can result in a very public and humiliating enforcement action.

This article was previously posted on Financial Advisor Magazine Online.

The Institute for Innovation Development is an educational and business development catalyst for growth-oriented financial advisors and financial services firms determined to lead their businesses in an operating environment of accelerating business and cultural change. We position our members with the necessary ongoing innovation resources and best practices to drive and facilitate their next-generation growth, differentiation and unique community engagement strategies. The institute was launched with the support and foresight of our founding sponsors - Pershing, Voya Financial, Ultimus Fund Solutions, Fidelity, and Charter Financial Publishing (publisher of Financial Advisor and Private Wealth magazines). For more information click here.


Sign Up for Your Free Innovation Newsletter