Published March 13, 2019
Compliance management in the RIA industry is quite literally an industry unto itself. Every RIA, whether state registered or SEC-registered, has its own Chief Compliance Officer and unique compliance program. Most of us don’t pay close attention to the sheer size of the RIA industry, but there are currently over 35,000 RIAs in the U.S. Further, if you strip out corporate type RIAs such as those tied to broker-dealers and the large asset management firms, etc., that leaves roughly 9,000 SEC-registered RIAs (with aum > $100 million) and roughly 24,500 state-registered RIAs (with aum < $100 million). Needless to say, that is a lot of compliance work! While there are many RIAs with highly qualified CCOs who have the skills required to navigate the changes in the regulatory landscape and implement needed compliance program/process changes, there are many that don’t. In fact, probably 30% or more of these RIAs likely don’t have the right compliance program in place, have deficiencies of varying degrees or don’t have skilled CCO’s. After all, it’s a big job encompassing many areas across a financial firm. Clearly, this population of RIAs and all of their vulnerabilities are keeping the regulators in business! The RIA industry is a goldmine for the SEC and state regulators who obtain a lot of their funding from fines. Is this sustainable? We don’t think so. There are just too many siloed, individual compliance programs and too many CCO’s. For this reason alone, one might think that the industry is, therefore, ripe for consolidation, and they are probably right! If you consider other factors including aging advisors, fee compression, robo competition, and the overall rising costs of running an RIA where scale and operating leverage matters, then you are definitely right. To that end, it’s not surprising to see so many new serial consolidators in the industry seeking to “roll-up” such RIAs to attain and leverage scale.
RIA Compliance Never Sleeps
While some RIAs do all of their own compliance work, these are the minority. Most RIAs rely on some level of third-party compliance support firms to update ADVs and manage or monitor a myriad of other areas including cybersecurity, mock audits, email & trading surveillance, advertising, social media, and all of the work involved at the account level, etc. In other words, such firms are relying on third parties because they clearly do not have the expertise or skills required to self-manage compliance independently. Further, while compliance support firms are very helpful, a fair amount of the actual implementation of compliance processes they recommend is on the shoulders of the RIA owner/CCO. Lack of implementation or follow through alone creates regulatory risk. It’s well known that the SEC likes to surprise advisors with audits and uses a “shock & awe” approach where they show up with a surprise list of 200+ questions at the worst possible time, demanding a prompt, comprehensive response. They intend to catch advisors off guard and see how they perform under duress as this helps expose vulnerabilities. Dropping absolutely everything you do for 4+ weeks to focus on an SEC audit is a showstopper.
Why leave your firm open to risk in this manner? Stay tuned for part two next week as we discuss a better way to manage RIA compliance.