On Nov. 9, 2021, the Division of Examinations (the Division) of the Securities and Exchange Commission (the SEC) released a Risk Alert (the Risk Alert)1, discussing its observations from its recent examinations of investment advisers that provide automated digital investment advisory services (robo-advisers). Under the Division’s Electronic Investment Advice Initiative, the SEC exam staff looked into how robo-advisers are operating, how robo-advisers provide advisory services to retail and institutional clients, and how robo-advisers satisfy their regulatory obligations under the Investment Advisers Act of 1940, as amended (the Advisers Act). Below is a summary of the Risk Alert and our takeaways.
Background
The SEC’s effort to address regulatory issues specific to robo-advisers dates back to 2002,2
although the first robo-adviser-focused guidance was not issued until 2017,3
and the first robo-adviser-targeted enforcement actions were not issued until 2018.4
The new Risk Alert appears to have been prompted by the Division’s recent observation of significant growth in the industry.
Examination Focus
With an eye focused on a robo-adviser’s adherence to its fiduciary duties, the Division noted that in its examinations, it specifically reviewed robo-advisers’:
- Compliance Programs to assess whether compliance policies and procedures were adopted, implemented, reasonably designed, and tested at least annually.
- Formulation of investment advice to evaluate whether robo-advisers gathered sufficient information from clients to form a reasonable belief that clients were receiving investment advice that was in their best interest. The Division also reviewed “customization” representations for adequacy and accuracy.
- Data protection practices to understand the robo-advisers’ policies and procedures regarding client data protection, including cybersecurity practices.
- Registration information to determine whether robo-advisers were eligible for SEC registration as investment advisers.
- Compliance with Investment Company Act Rule 3a-4 to determine whether robo-advisers are operating advisory programs that constitute unregistered investment companies.
Staff Observations
Deficiencies
The Division noted that “nearly all” of the robo-advisers examined received a deficiency letter. These deficiencies were most often in the following areas:
Compliance programs. The Division noted that most robo-advisers’ policies and procedures were insufficient, unimplemented or untested. The Division noted that advisers failed to “[i]nclude elements in their policies and procedures specific to their use of an online platform and/or other digital tools for the provision of investment advice, such as assessing whether the advisers’: (1) algorithms were performing as intended; (2) asset allocation and/or rebalancing services were occurring as disclosed; and/or (3) data aggregation services did not impair the safety of clients’ assets as a result of the adviser having direct or indirect access to clients’ credentials (e.g., pins and passwords).” Advisers also failed to undertake an annual review of their policies and procedures to ascertain the adequacy and effectiveness of the policies and procedures.
Portfolio management – oversight. Robo-advisers failed to test if the investment advice generated by their platforms appropriately considered client investment objectives or otherwise satisfied the advisers’ duty of care. Among other things, the Division noted that robo-advisers “[l]acked written policies and procedures related to the operation and supervision of their automated platforms, increasing the risk of algorithms producing unintended and inconsistent results (e.g., due to coding errors or coding insufficient to address unforeseen or unusual market conditions, such as those caused by geo-political events, substantial oil price movements, or interest rate changes).”
Portfolio management – disclosures and conflicts. Robo-advisers provided inaccurate or incomplete disclosures in their Form ADV. In addition, the Division noted the use of hedge clauses and/or exculpatory language in advisory agreements, “terms of use and conditions,” and other documents. Examples of omitted, inaccurate, or incomplete disclosures included failure to disclose fee arrangements and affiliations with purported third-parties, inadequate disclosure regarding how the adviser collects, uses, and updated client information in providing investment advice, failure to discuss profits and losses from trade errors and inconsistent disclosure across documents, especially regarding advisory fee calculations.
Performance advertising and marketing. Robo-advisers provided misleading or prohibited statements on their websites by using vague, unsubstantiated claims, misrepresented SIPC protections as protecting investments from market declines and failed to explain the relevance of and/or link to disclosures which further explain positive third-party reviews and press pieces. In addition, advisers used misleading performance advertisements, such as the improper use of hypothetical performance, and failed to adequately disclose the “human” services offered to clients and the costs thereof.
Cybersecurity and protection of client information. The Division noted that many robo-advisers failed to implement written policies and procedures which addressed protecting the advisers’ systems and responding to cybersecurity events. In addition, the Division observed that advisers were not in compliance with Regulation S-ID and/or Regulation S-P.
SEC Registration. Nearly half of the robo-advisers claiming reliance on the Internet advisers’ exemption (Advisers Act Rule 203A-2(e)) were ineligible to rely on the exemption and therefore were ineligible to register or remain registered with the SEC.
Discretionary Investment Advisory Programs
The Division focused on robo-advisers’ provisions of discretionary investment advisory services and assessed whether the services met the requirements of Investment Company Act Rule 3a-4, which provides certain discretionary investment advisory programs with a safe harbor from investment company status.
Unregistered investment companies. The Division noted that robo-advisers provided discretionary investment advice to a large number of clients on the same or similar basis, frequently using asset allocation programs. These advisers were often unaware that such services may constitute unregistered investment companies and failed to rely on Rule 3a-4 or take alternative measures.
Client questionnaires. The Division noted that robo-advisers utilized client questionnaires which included a limited number of data points. In addition, certain questionnaires did not permit a client to impose reasonable restrictions on their account investments, which is a requirement to rely on the safe harbor of Rule 3a-4.
Periodic communications. The Division noted that robo-advisers often failed to meet Rule 3a-4 requirements to contact each client at least annually to update the client’s financial situation or objectives and to determine if the client wishes to impose any reasonable restrictions on the account. In addition, advisers failed to provide clients with quarterly notifications to contact the adviser with any changes to such information. Advisers often failed to provide clients with a reasonably available person sufficiently knowledgeable about the client account and its management.
Indicia of ownership. The Division noted that robo-advisers often failed to ensure that clients retained certain indicia of ownership of their investment as required by Rule 3a-4.
Takeaways
Robo-advisory services are becoming a common offering by investment advisers and, as a result, are becoming a focal point for SEC review. In light of this new focus on robo-advisers, we offer the following takeaways:
- As highlighted in the Risk Alert, the SEC staff expects robo-advisers to tailor their compliance policies and procedures, disclosures, and marketing to the risks inherent in robo-advice. Such tailoring requires robo-advisers to pay special attention to the construction, testing, and safeguarding of algorithms and any other technology robo-advisers use to deliver advice. This likely requires coordination between a robo-adviser’s legal and compliance personnel, on the one hand, and its technology personnel, on the other. Cybersecurity also is paramount.
- Long-ignored and unenforced, the SEC staff may be breathing new life into Investment Company Act Rule 3a-4, using over 20% of the Risk Alert to discuss deficiencies related to the rule. While non-compliance with the rule is not actionable – as the rule is merely a safe harbor – non-compliance could lead to a claim that a robo-adviser is operating an unregistered investment company, as discussed in the Risk Alert. Advisers relying on the Rule 3a-4 safe harbor may want to re-examine their compliance with its various requirements.
- The Risk Alert should be considered in light of the broader examination by the SEC of digital engagement practices prompted by the “meme stock” frenzy last spring. Chair Gensler has indicated that a rule proposal addressing investment advisers’ conflicts of interest related to “gamification” (i.e., using such practices to optimize revenue for the platform rather than investment results for clients) may be in the works.
Information contained in this publication should not be construed as legal advice or opinion or as a substitute for the advice of counsel. The articles by these authors may have first appeared in other publications. The content provided is for educational and informational purposes for the use of clients and others who may be interested in the subject matter. We recommend that readers seek specific advice from counsel about particular matters of interest.
Copyright © 2021 Stradley Ronon Stevens & Young, LLP. All rights reserved.