Robo-Advisers Included Among SEC Examination Priorities

In our previous post, we described the SEC’s announcement of examination priorities in 2020 for the Commission’s Office of Compliance Inspections and Examinations (OCIE).  In that post, we discussed areas of examination that will apply to a large percentage of registered investment advisors and other regulated entities.  In this post, we focus on another priority, namely robo-advisers.

Otherwise known as automated investment platforms, “robo-advisers” have come under increased scrutiny by OCIE.  The number of these advisers has increased substantially over the last four years.  OCIE intends to focus on issues such as the eligibility of the robo-adviser to register with the SEC, marketing practices engaged in by robo-advisers, the ability to comply with fiduciary duty, the adequacy of the adviser’s disclosures, the effectiveness of the adviser’s compliance program, and the firm’s cybersecurity policies, procedures and practices.

Advisers Act Rule 203A-2(e) permits “internet only advisers” to register with the SEC, provided certain conditions are met and maintained.  Specifically, the adviser must provide investment advice to all clients exclusively through an interactive website and maintain records demonstrating that it does so.  Under the rule, an adviser may provide investment advice through means other than the internet to up to fourteen clients during any twelve-month period. Undoubtedly there are some firms that registered on this basis who were either not eligible at the time or, through the evolution of their business, have strayed from the conditions required to remain eligible for registration.

Similarly, robo-advisers must rely upon marketing techniques designed to drive new client applications exclusively through the advertisement or other non-individualized communication, and cannot rely on traditional practices such as advertisements designed to lead to office visits, in which client’s individual needs are addressed as part of a face-to-face pitch to obtain the client’s business.

The SEC has also stated that OCIE will examine the robo-adviser’s ability to comply with the fiduciary duty applicable to all advisers.  There has always been regulatory skepticism that robo-advisers can fulfill their duties, as has been previously discussed in our blog.  While it would be difficult in many complicated situations to advise a client exclusively through the internet, clients with simple or even average investment needs can be well served by robo-advisers and the low-cost solution they offer. Because recommendations cannot be implemented until the client has completed the online suitability form, robo-advisers will necessarily maintain detailed compliant documentation regarding clients’ objectives, needs and risks.  Thus, the deficiencies commonly uncovered in investment adviser examinations such as the failure to obtain sufficient client identification data, the absence of completed and signed suitability data, and the absence of a written basis to support investment recommendations, are immediately eliminated.

How an adviser describes its own services and limitations will undoubtedly be an area of regulatory focus. Perhaps the greatest risk is that the algorithm or automatic trading program will malfunction or will not function as designed, a situation that could lead to significant client losses. As demonstrated in the SEC’s Wealthfront case from 2019, that kind of failure could lead to unsuitable transactions in clients’ accounts, unwanted tax consequences and other issues. In that case, among other problems, Wealthfront failed to implement a tax harvesting program that it advertised as a benefit to account holders.

The area of cybersecurity also poses unique threats to the robo-adviser.  The necessary collection of critical client data points, including non-public personal and financial information, in order to derive suitability investment recommendations, makes robo-advisers rich targets for cybercriminals and others who would do mischief with client information.  Given the increased risks associated with this electronic data-rich environment, advisers will be expected to design and adopt appropriately customized and enhanced cybersecurity procedures, and to test them more frequently than firms that do not collect and store such data through electronic means. Additionally, we expect that OCIE will examine robo-advisers to determine whether they have taken adequate steps to educate and inform their clients regarding how to protect their own data through interactions with the adviser’s website.

Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including compliance with federal and state laws and rules. Please visit our website for more information.