On November 9, 2021, the Securities and Exchange Commission (“SEC”) Division of Examinations (“Division”) published a Risk Alert related to investment advisers that provide automated digital investment advisory services online, via a mobile application, or both (referred to in the Risk Alert as “robo-advisers”). However, the Division has raised compliance and investor protection concerns related to the increasing prevalence of robo-advisers. Accordingly, the Division recently conducted a series of examinations on these advisers to assess their practices and obtain a better understanding of how these firms operate.

The Risk Alert highlighted the following:

Compliance programs. Most advisers either lacked written policies and procedures or had policies and procedures that were insufficient for their operations, or untested.

• Many advisers had missing elements in their policies specifically related to the advisers’ use of an online platform, such as assessing whether the algorithms were performing as intended, asset allocation and rebalancing were occurring as disclosed, and ensuring that data aggregation services did not negatively affect client assets.
• Advisers often failed to adequately review their policies and procedures annually, which caused them to fail to detect noncompliance with certain SEC rules.
• The Risk Alert mentions the “Custody Rule,” since some advisers failed to recognize that certain practices constituted custody.
• Similarly, the Risk Alert referenced the “Code of Ethics Rule,” since some advisers failed to obtain proper holdings reports, transactions reports and written acknowledgements from employees.

The Risk Alert specifically recommends that advisers adopt, implement and follow written policies and procedures that are tailored to the adviser’s practices.

Portfolio management – oversight. Advisers generally either had no policies and procedures in place to test their portfolio management practices, or they did have policies in place, and they were not followed in a way that satisfied their fiduciary duty to their clients. For example:

• Advisers commonly used questionnaires to collect client data. However, these questionnaires were, at times, too short to ensure that enough data was being collected in order to formulate appropriate investment advice.
• Advisers failed to periodically evaluate whether accounts were still being managed in accordance with clients’ needs, such as inquiring about any changes to their financial situation.
• The Division also observed a lack of oversight of automated platforms, which increased the risk of rebalancing errors, trade errors or algorithms producing unintended results.
• Advisers are required to seek best execution, and often did not review their best execution practices or were unaware of this obligation at all.

The Risk Alert specifically recommends that advisers test algorithms periodically to ensure that they are operating as expected and employ safeguards to prevent unauthorized algorithm changes. Advisers should make testing of their algorithms a collaborative process between portfolio management, compliance, internal audit and information technology staff.

Portfolio management – disclosures and conflicts. The Division noted inadequate disclosures in advisers’ Form ADV filings related to conflicts of interest, advisory fees, investment practices and ownership structure. Staff also highlighted the use of hedge clauses in advisory agreements with clients and “terms of use or conditions” that did not align with disclosures elsewhere, or their fiduciary duty. Examples of inadequate disclosures included:

• Affiliated third-parties;
• How the adviser collects and uses information gathered from a client to generate a recommended portfolio;
• How and when rebalancing occurs;
• Processes for addressing profits and losses from trade errors; and
• Advisory fee calculations.

Performance advertising and marketing. Advisers would often make misleading statements on their websites, including:

• Using vague language or substantiated claims about their advisory services;
• Misrepresenting SIPC protections;
• Using press logos for news sources without disclosure;
• Referring to positive third-party commentary without disclosure;
• Using hypothetical, or otherwise materially misleading, performance information without disclosure; or
• Providing inadequate information about “human” services.

Cybersecurity and protection of client information. Few advisers had cybersecurity policies that addressed how to protect the firm’s systems, and how to respond to cybersecurity events. Advisers were also often not in compliance with Regulation S-ID, Regulation S-P, or both due to inadequate policies and procedures surrounding privacy.

Registration matters. Nearly half of the advisers claiming reliance on the Internet adviser exemption were ineligible to rely on the exemption, and many were not otherwise eligible for SEC registration. Division staff also observed that some advisers’ affiliates were operating as unregistered investment advisers because they were operationally integrated with the respective advisers.

The Division also reviewed the user of discretionary investment advisory programs (“programs”) to assess whether the programs provided each retail client with individualized treatment and enabled clients to maintain ownership of the securities in their accounts.

Reliance on the nonexclusive safe harbor provisions of Rule 3a-4. Advisers were often unaware that the programs they sponsored or operated may be unregistered investment companies. Advisers would also claim that programs they sponsored or operated were relying on Rule 3a-4, or have policies that indicated that they did, but without adequately complying with all of the provisions of the safe harbor.

Establishing client accounts. The adviser recommending the program is required to obtain information from each client regarding the client’s financial situation and investment objectives and goals at the opening of the account and updated periodically thereafter.

• Advisers observed not complying with these provisions would use questionnaires to gather information that included a very limited number of data points, or not allow clients to impose reasonable restrictions.
  • For example, advisers would require the selection of a different model portfolio if any restrictions were requested, establish unduly restrictive requirements, or warn of negative consequences that may result from applying restrictions.
• Advisers would also not adequately disclose to clients that they could impose reasonable restrictions on the management of their accounts.

Ongoing communications. Advisers relying on the safe harbor are required to contact each client periodically to update the client’s financial situation or determine if changes are necessary. Division staff observed issues with advisers meeting these requirements, such as:

• Not requesting the required information regarding clients’ financial situations and investment objectives;
• Not communicating with clients about their ability to impose new, or modify existing, reasonable restrictions; or
• Providing clients with limited or no access to advisory personnel knowledgeable about the account and its management.

Client rights. Division staff observed advisers that:

• Restricted their clients’ ability to withdraw cash or securities from their accounts;
• Did not allow clients to vote proxies or to delegate that right to a third-party for any or all securities;
• Appeared not to ensure that clients were being sent legally required documents; or
• Did not allow clients to have the legal right to proceed against the issuer of any security in the client’s account.

Greyline recommends that robo-advisers revisit their policies and procedures in light of this Risk Alert. Please reach out to your Greyline representative with any questions. The SEC press release is available here.