The staff of the SEC’s Division of Examinations (Division) released a risk alert on November 9, 2021 (Risk Alert) discussing the staff’s observations and findings from the Division’s recent electronic investment advice initiative (eIA Initiative), a series of examinations of investment advisers that provide “automated digital investment advisory services to their clients” (often referred to as robo-advisory services).¹ The eIA Initiative focused on: obtaining a better understanding of the operations of, and services provided by, these firms; and how firms providing electronic investment advice satisfy regulatory obligations and meet the fiduciary duties all advisers owe to their clients. The eIA Initiative included advisers providing: robo-advisory services to employee-sponsored retirement plans and/or retail investors; advisory or sub-advisory services to a digital investment platform; and/or digital investment platform access to third-party advisers, broker-dealers and banks through the sale or licensing of such platform. The eIA Initiative also focused on discretionary robo-advisory services that may implicate rule 3a-4 under the Investment Company Act of 1940 (Rule 3a-4), which provides a non-exclusive safe harbor from being classified as an investment company for certain advisory programs.

While the eIA Initiative and Risk Alert each focus on the practices of advisers offering robo-advisory services, the Risk Alert also draws attention more generally to the “significant increase” in advisers providing electronic investment advice through other business models, from more traditional advisory services supplemented by proprietary or third-party software to robo-advisory services offered online or through mobile applications, including to retail investors. The Risk Alert also builds on themes that the SEC articulated in its recent request for information relating to digital engagement practices (RFI), which includes a discussion of, and requested comments on, the use of information technology in formulating investment advice and interacting with clients.² In the RFI, the SEC discussed issues that it believes arise related to robo-advisers that: offer limited or no direct human interaction; place “too much importance” on clients’ responses to automated client evaluations (e.g., through use of online questionnaires); or do not effectively understand and oversee algorithms and artificial intelligence used to construct client portfolios. For these reasons, the Risk Alert might be of interest to any adviser using electronic investment advice or other information technology in connection with its advisory services.

Risk Alert

eIA Initiative Intent and Focus

In the Risk Alert, the Division expressed its intention that the eIA Initiative would provide the Division with a “broad understanding” of advisers providing electronic advice through its examination of a diverse set of advisers (e.g., varying bases for registration, business models, investment practices, client types, assets under management) that offer robo-advisory services, sell, license or otherwise grant access to interactive digital platforms (Platforms) to third-party advisers, broker-dealers and banks and/or that provide advisory or sub-advisory services to such Platforms.

Provision of Electronic Investment Advice

The eIA Initiative examinations included a broad review of the selected firms’ adherence to their fiduciary duties to their clients, with specific consideration of:

• The reasonableness of the adviser’s compliance programs;
• Annual testing of the compliance program;
• How advisers formulate investment advice (including whether sufficient information was gathered to form a reasonable belief that the advice was in a client’s best interest);
• The adequacy and accuracy of disclosures as to conflicts of interest and “customization”;
• Whether marketing (including performance advertising) complied with the Advisers Act Rule 206(4)-1 (Advertising Rule) and, where relevant, whether “securities selection and portfolio management techniques were used when managing client accounts”;
• Advisers’ data protection and cybersecurity practices for compliance with Regulation S-P and Regulation S-ID; and
• The respective adviser’s eligibility for SEC registration.

Use of Discretionary Investment Advisory Programs

The Risk Alert observes that advisers providing electronic investment advice also can sponsor or operate wrap fee programs, mutual fund or ETF asset allocation programs, as well as other investment advisory programs designed to provide the “same or substantially similar” portfolio management services to "a large number of” retail clients; the eIA Initiative includes a review of such programs at “more than two dozen advisers.” Since discretionary investment advisory programs could meet the general definition of an investment company under the 1940 Act, many sponsors of and advisers to such programs seek to rely on the safe harbor provided by Rule 3a-4 to avoid their programs potentially being deemed an improperly unregistered investment company.

Among other things, Rule 3a-4 requires that each client be provided with individualized treatment and the ability to maintain indicia of ownership of their account’s securities.³ As a result, the eIA Initiative reviewed the status of discretionary investment advisory programs recommended by examined firms for compliance with Rule 3a-4 conditions, and “specifically ... inquired as to whether the advisers were aware of how these programs were organized and whether they were being operated in accordance with the nonexclusive safe harbor provided by Rule 3a-4."

Staff Observations

The Risk Alert states that “[n]early all of the examined advisers received a deficiency letter” and that the most common findings related to: compliance programs; portfolio management; and marketing and performance advertising. The staff also observed that certain advisers relied on, but were “not acting in accordance with, the Internet [A]dviser exemption and ... Rule 3a-4.” In the Risk Alert, the staff provided further discussion and commentary on the concerns it identified in the eIA Initiative.

Electronic Investment Advice

The Risk Alert focuses on the most common findings from the eIA Initiative, which involve: compliance programs (e.g., policies, procedures, testing); portfolio management (e.g., adviser’s fiduciary duty to provide advice that is in each client’s best interest); and marketing/performance advertising (e.g., misleading statements, missing or inadequate disclosure).

• Compliance programs. The staff observed that “most advisers” that were examined had what the Risk Alert describes as “inadequate compliance programs” due to insufficiently tailored, unimplemented or untested policies and procedures or a “lack” of written policies and procedures altogether. Most notably, the staff observed policies and procedures that were not “specific” to an adviser’s use of a Platform and/or other digital tools to provide investment advice, including policies and procedures considering: whether “algorithms were performing as intended”; whether “asset allocation and/or rebalancing services were occurring as disclosed”; or whether the adviser had direct or indirect access to clients’ credentials (e.g., pins and passwords) in connection with “data aggregation service(s) [that] allow a client to view third-party financial information” on the adviser’s Platform, which could “impair the safety of clients’ assets.” The staff also observed that advisers that use business-to-business or “white-label” Platforms did not have policies and procedures to assess the Platform providers’ practices in respect of these matters. Additionally, the Risk Alert notes that some advisers failed to properly review their policies and procedures annually to assess adequacy and/or effectiveness of implementation. In particular, the staff found shortcomings here with respect to marketing, performance advertising and custody. Further deficiencies cited related to the Code of Ethics Rule (including failures to obtain required reports or acknowledgements, and codes that did not include all required provisions).
• Portfolio management – oversight. The staff stated that “many” advisers did not test their Platform’s investment advice for alignment with the “clients’ stated or Platform-determined investment objectives or otherwise satisfying their duty of care.” Specifically, the staff observed advisers that lacked written policies and procedures or whose policies and procedures were insufficient for an adviser to: develop a reasonable belief that the investment advice was in each client’s best interest based on their objectives and suitable based on their circumstances (e.g., questionnaires that relied on only a “few data points to formulate investment advice”) and periodically inquire about changes to the client’s circumstances (e.g., retaking questionnaires); ensure adequate oversight and supervision of their automated Platforms, which increased the risk of “algorithms producing unintended and inconsistent results” (e.g., coding errors, rebalancing errors, trade errors, “coding insufficient to address unforeseen or unusual market conditions”); or meet its duty to seek best execution.
• Portfolio management – disclosures and conflicts. The staff observed that “many” advisers’ Forms ADV included inaccurate or incomplete (or omitted altogether) disclosures regarding conflicts of interest, advisory fees, investment and trading practices and ownership structure. Specific examples of omitted, inaccurate or incomplete disclosures included occasions where advisers did not disclose: an affiliation with or compensation from (e.g., referrals, trade execution) third parties that recommended the adviser or provided execution services for advisory clients; the adviser’s collection and use of client information to formulate a recommended portfolio, or how and when such portfolio is rebalanced; or the adviser’s treatment of trade error profits and losses. The staff also observed advisers that provided inconsistent disclosure across documents regarding advisory fee calculations. Further, the Risk Alert notes that “more than half” of examined advisers’ advisory agreements, terms and conditions or other documents included hedge clauses or other exculpatory language that could be inconsistent with advisers’ fiduciary duties.
• Performance advertising and marketing. The staff identified advertising-related deficiencies at “more than one-half” of the advisers examined. According to the Risk Alert, these included: making misleading or prohibited statements on the adviser’s website (e.g., “vague or unsubstantiated claims” regarding advisory services provided, investment options available, performance expectations and potential costs); suggesting Securities Investor Protection Corporation (SIPC) protection of client accounts from market declines; using press logos without links or explanations of their relevance; making references to positive third-party commentary without an explanation of its relevance or potential conflicts of interest; using materially misleading performance advertisements (e.g., with hypothetical performance of a model not paired with relevant disclosures to make the performance not misleading); having insufficient disclosure regarding “human” services versus electronic investment advice (e.g., whether a human was “available, mandatory, or restricted,” whether a human financial professional was assigned, relative costs of such advice).
• Cybersecurity and protection of client information. The Risk Alert states that “while all of the advisers had business continuity plans, and the vast majority had written policies regarding identifying and recovery from cybersecurity events, fewer ... addressed protecting the firm’s systems and responding to such events.” The staff also observed advisers that did not fully comply with Regulation S-ID or S­-P, because those advisers: had “covered accounts” but no written policies and procedures to detect, prevent and mitigate identity theft; did not have policies and procedures that addressed all of the elements of Regulation S-P; and/or failed to deliver initial and/or annual privacy notices to all clients as and when required.
• Registration matters. The staff stated that “nearly half” of advisers that relied on the “Internet Adviser” exemption from registration⁴ did not satisfy its requirements or were not otherwise eligible for SEC registration as they did not have an interactive website or provide advisory personnel to clients.⁵

   

Discretionary Investment Advisory Programs

The staff assessed compliance with Rule 3a-4 and, where such compliance was not claimed or observed, whether alternative measures were employed to address the status of the relevant discretionary advisory programs under the 1940 Act. The staff also assessed whether adequate disclosures were provided and policies and procedures were implemented to satisfy Rule 3a-4 (or any such alternate means of addressing any 1940 Act status questions).

• Reliance on the nonexclusive safe harbor provisions of Rule 3a-4. The staff observed that advisers recommending discretionary investment advisory programs often were unaware that such a program could be an unregistered investment company. The Risk Alert notes that some advisers that recognized the issues claimed reliance on Rule 3a-4, while others did not claim reliance on Rule 3a-4 or employ alternative compliance measures. Additionally, the staff observed that some advisers claiming reliance on Rule 3a-4 in respect of the programs they operated or sponsored did not comply with all requirements of Rule 3a-4. Noting that many of these advisers had compliance policies and procedures that the staff viewed as either inadequate or insufficiently implemented (or both), the Risk Alert recommends that advisers sponsoring or operating programs relying on Rule 3a-4 should “adopt compliance policies and procedures that are reasonably designed to validate that such programs” operate in a manner consistent with Rule 3a-4’s provisions.
• Establishing client accounts. The staff observed that some questionnaires relied upon by advisers to provide individualized advice “included a very limited number of data points, potentially increasing the risk of not providing clients with individualized advice or acting in their clients’ best interests.” The staff viewed such questionnaires as insufficient to meet the requirement of Rule 3a-4 that the program provide individualized advice. The staff also observed advisers that expressly prohibited clients from imposing reasonable investment restrictions or made it difficult to do so (e.g., clients who sought to impose a restriction were then required to select a different model portfolio or were “warn[ed] of negative consequences” from the restrictions without further explanation, advisers did not adequately disclose that the client could impose reasonable restrictions or provided inaccurate or insufficient information as to the ability to impose reasonable restrictions), conflicting with Rule 3a-4’s requirement to allow clients the ability to impose reasonable restrictions.
• Ongoing communications. Despite Rule 3a-4 requirements related to ongoing communications with clients, the staff observed that a number of advisers relying on Rule 3a-4 did not: periodically request information to update the client’s financial circumstances or investment objectives quarterly; determine whether the client wanted to impose new, or modify existing, reasonable restrictions quarterly; or provide clients with sufficient access to advisory personnel with knowledge of the client’s account (e.g., restricting access to advisory personnel through requiring certain account minimums, failing to offer advisory personnel at all, offering only technical support and general customer service support).
• Client rights. The staff observed advisers that restricted cash or security withdrawals or limited other rights or indicia of ownership (e.g., to vote or delegate voting of proxies, to proceed directly as a security holder against an issuer without joining any operator or other client of the program, to receive transaction confirmations and other required documents confirming that legal documents were sent to clients), contravening Rule 3a-4’s requirement that clients retain these rights and indicia of ownership to the same extent as if the clients held those assets outside of the programs.

   

Staff Recommendations for Improving Compliance

As the Risk Alert acknowledges, the eIA Initiative reviewed a variety of advisers and observed a “wide range of compliance practices”; as such, the staff noted that “not all of the [noted] practices” are “universally applicable.” Nonetheless, the staff provided some observations that it believes “may assist advisers in developing and maintaining [an] adequate and effective” compliance program, including:

• Tailored compliance programs. The staff observed that advisers with “adequate and effective” compliance programs, where practices were consistent with their procedures, “were not cited for deficiencies related to: (1) portfolio management; (2) custody; and (3) books and records. Such advisers also rarely had deficiencies related to marketing, performance advertising, or billing practices.” In contrast, the staff observed that when it identified an adviser with deficiencies in its compliance programs, the adviser “often had multiple deficiencies across more than one [of these] categor[ies].”
• Routine testing of algorithms to ensure they are operating as intended. The staff recognized advisers that performed algorithm-related testing at least quarterly, noting that it had observed certain commonly employed practices, including: testing performed by algorithm designers/software developers that included additional teams (e.g., portfolio management, compliance either working independently or relying on other groups, internal audit, information technology); exception reporting or other reporting mechanisms that combined “high-level and account-specific results” that “often” were reviewed by algorithm designers/software developers; and compliance issues where “many” firms also included reviews by portfolio management or information technology.
• Safeguarding algorithms. The staff found that “most” advisers sought to prevent unauthorized algorithm changes by limiting access to relevant code to certain personnel and providing advance notice to compliance staff of “substantive algorithm changes or overrides.” While advisers using “white label” Platforms generally could not modify underlying code, many reported that the Platform providers furnished notice to advisers of any changes.

   

Implications for Investment Advisers

The Risk Alert and the eIA Initiative are the latest in a series of efforts to help the SEC better understand, and adapt the Advisers Act regulatory regime to, electronic investment advice. The Risk Alert shows not only that the SEC’s focus on certain areas of compliance (e.g., performance presentation, disclosure of conflicts of interest, cybersecurity) is broadly based and perennial, but that electronic investment advice presents distinct challenges to the SEC and the regulatory framework. The staff’s response to these challenges demonstrates a preference to apply the same detailed fiduciary guidance commonly applied to more traditional advisory services. However, it is becoming clearer that the SEC is finding what many electronic investment advisers already know: a regulatory framework that focuses on the human characteristic of trustworthiness (which is central to acting as a fiduciary) cannot always be easily and directly applied to algorithm- and machine-learning-based services. The greatest strengths of automated investment services (mainly their scalability, replicability and consistency in application) have tended to be treated in the existing regulatory scheme as failures to provide sufficiently individualized treatment, which the SEC and its staff view as contrary to an adviser’s fiduciary duty to provide suitable investment advice.

The SEC also faces the same practical difficulty as many front-line compliance professionals: it is difficult and burdensome to bring the design, monitoring and testing of highly technical, code-based systems within the scope of a regulatory compliance program adopted under rules that were conceived in the context of traditional, human-based services. While the Risk Alert shows many signs that the SEC and its staff are developing an appreciation for this issue, some of the staff’s expectations (e.g., assessing whether electronic advisory programs are meeting clients’ best interests as part of the compliance function) assume a degree of coordination among compliance, investment management and software development personnel that is not yet practicable, and these expectations might be too rigid and inflexible to conform to the diversity of the different types of advisers and advisory models. Thus, robo-advisers and other firms that employ electronic investment advisory techniques might find it useful to study the Risk Alert and future statements from the SEC and its staff to learn whether such firms’ practices, disclosures and policies and procedures are consistent with the SEC’s evolving views.

The authors would like to thank Elona Belokon for her contributions to this OnPoint.

Footnotes

1) SEC Division of Examinations, Risk Alert, Observations From Examinations of Advisers that Provide Electronic Investment Advice (Nov. 9, 2021). The Division of Examinations was formerly known as the Office of Compliance Inspections and Examinations (OCIE). At times, this OnPoint tracks language in the Risk Alert without the use of quotation marks.

2) Request for Information and Comments on Broker-Dealer and Investment Adviser Digital Engagement Practices, Related Tools and Methods, and Regulatory Considerations and Potential Approaches; Information and Comments on Investment Adviser Use of Technology to Develop and Provide Investment Advice, SEC Rel. Nos. 34-92766, IA-5833 (Aug. 27, 2021); SEC Press Release, SEC Requests Information and Comment on Broker-Dealer and Investment Adviser Digital Engagement Practices, Related Tools and Methods, and Regulatory Considerations and Potential Approaches; Information and Comments on Investment Adviser Use of Technology (Aug. 27, 2021). The SEC also explored related issues at a meeting of the Evolution of Investment Adviser subcommittee of the Asset Management Advisory Committee on July 7, 2021. See SEC Webcasts, SEC Asset Management Advisory Committee Meeting.

3) Compact Act Rule 3a-4 (Status of Advisory Programs). For more information on the Rule 3a-4’s safe harbor, see Request for Information and Comments on Broker-Dealer and Investment Adviser Digital Engagement Practices, Related Tools and Methods, and Regulatory Considerations and Potential Approaches; Information and Comments on Investment Adviser Use of Technology to Develop and Provide Investment Advice, SEC Rel. Nos. 34-92766; IA-5833 (Aug. 27, 2021).

4) An Internet Adviser is eligible for registration because the entity: provides investment advice to all clients through an interactive website (i.e., “a website in which computer software-based models or applications provide investment advice based on personal information each client submits through the website”) and to fewer than 15 clients through other means during the prior 12 months; maintains a record demonstrating that investment advice is provided exclusively through an interactive website in accordance with these limits; and does not control, is not controlled by, and is not under common control with, another investment adviser that is SEC-registered solely in reliance on the adviser registered under this exemption. Advisers Act Rule 203A-2(e).

5) In other cases, the staff found that an adviser’s affiliates were improperly unregistered because the affiliate was operationally integrated with the registered adviser, and therefore ineligible to rely on a registration exemption or, in other cases, the affiliate was improperly registered due to its reliance on the Internet Adviser’s registration as a basis for its own registration, which is not permissible.