The staff (“Staff”) of the SEC’s Division of Examinations issued a risk alert1 (the “Risk Alert”) on the Staff’s observations from examinations of SEC-registered investment advisers that provide automated digital investment advisory services (“robo-advisers”). The Risk Alert is intended to raise awareness about and ensure clear and adequate disclosure from robo-advisers and that robo-advisers are acting in their clients’ best interests.
Staff Observations on Deficiencies
I. Electronic Investment Advice
- Compliance Programs. The Staff observed robo-advisers that did not include important elements in their policies and procedures specific to providing investment advice through the use of an online platform and/or digital tools. For example, robo-advisers lacked policies and procedures to assess whether: (i) algorithms performed as intended; (ii) asset allocation and rebalancing services occurred as disclosed; and (iii) data aggregation services did not impair the safety of clients’ assets as a result of robo-advisers having either direct or indirect access to client credentials. The Staff also observed robo-advisers that did not sufficiently review the effectiveness and adequacy of their policies and procedures at least annually and robo-advisers that failed to comply with the “Code of Ethics Rule” under the Investment Advisers Act of 1940 (the “Advisers Act”).
- Performance Advertising and Marketing. Many robo-advisers had advertisement-related deficiencies including: (i) using vague or unsubstantiated claims that could cause an untrue or misleading implication or inference to be drawn; (ii) misrepresentations of SIPC protections by implying that client accounts would be protected from declines in the market; (iii) the use of popular press logos such as ABC and CNN without using links or any disclosure explaining their relevance; (iv) references or links to positive third-party commentary without disclosure of relevance or conflict of interest; and (v) materially misleading performance advertisements on their websites including hypothetical performance results of an investment model applied retroactively without adequate disclosures and also failing to provide information on whether interactions with live individuals are available.
- Cybersecurity and Protection of Client Information. The Staff observed that many robo-advisers lacked policies and procedures regarding protection of the robo-adviser’s systems and responding to cybersecurity events. Many robo-advisers were not in compliance with Regulation S-ID and Regulation S-P.
- Registration Matters. Nearly half of the robo-advisers claiming reliance on the internet adviser exemption in Rule 203A-2(e) under the Advisers Act were found to be ineligible, and many were not otherwise eligible for SEC-registration. Contrary to the internet adviser exemption’s requirement that an adviser provide investment advice to clients exclusively through an interactive website, the Staff observed many robo-advisers that did not have an interactive website or provided advisory personnel who could provide investment advice to clients. The Staff also observed that some robo-advisers had affiliates that were operating as unregistered investment advisers.
II. Discretionary Investment Advisory Programs
- Reliance on the Nonexclusive Safe Harbor Provisions of Rule 3a-4. The Staff noted that robo-advisers who commonly provided the same or similar investment advice to a large number of clients on a discretionary basis using asset allocation portfolios that they, an affiliate, or a third-party created often: (i) were unaware that the programs they sponsored or operated were unregistered investment companies; or (ii) claimed programs they operated or sponsored were reliant on the safe harbor provided by Rule 3a-4 under the Investment Company Act of 1940, but the programs were not actually compliant with the provisions of Rule 3a-4.
- Establishing Client Accounts. The Staff observed robo-advisers that did not comply with the requirement for sponsors relying on Rule 3a-4 to obtain from each client when the account is opened, and update periodically thereafter, information regarding the client’s financial situation and investment objectives, in addition to inquiring as to whether the client wants to impose any reasonable restrictions on the management of the client’s account.
- Ongoing Communications. Many robo-advisers failed to communicate with their clients at least annually as required by Rule 3a-4 to: (i) update the client’s financial situation or investment objectives; and (ii) determine if the client wishes to impose any reasonable restrictions on the management of the client’s account or reasonably modify any existing restrictions. Additionally, robo-advisers failed to notify clients at least quarterly to contact the Adviser with any changes to such information. The Staff also observed robo-advisers that provided clients with limited or no access to advisory personnel knowledgeable about the account and its management.
- Client Rights. The Staff observed robo-advisers that: (i) restricted clients’ ability to withdraw securities or cash from accounts; (ii) did not permit clients to vote proxies or delegate that right to a third-party or required clients to request this right; (iii) did not ensure that clients were sent legally required documents (e.g. trade confirmations and prospectuses); and (iv) did not permit clients to have the legal right to proceed directly as a shareholder against the issuer of any security held in the client’s account as prescribed in Rule 3a-4.
Staff Observations on Ways to Improve Compliance
The Staff highlighted practices such as the following that may assist robo-advisers in developing and maintaining adequate and effective policies and procedures.
- Testing Algorithms Periodically to Ensure that they are Operating as Expected. With respect to robo-advisers that tested their algorithms at least quarterly, the Staff observed the following practices: (i) the testing process included not only algorithm designers/software designers but also others such as portfolio management, compliance, internal audit and information technology staff; (ii) compliance staff performed independent testing; and (iii) both high-level and account specific exception reports or other reporting mechanisms were commonly used and reviewed by algorithm designers/software designers as well as compliance, portfolio management and information technology staff.
- Safeguarding Algorithms. Most robo-advisers employed measures to prevent unauthorized algorithm changes, such as exclusively limiting code access to certain persons and providing compliance staff with advance notice of substantive algorithm changes and overrides.
The Risk Alert demonstrates the Staff’s focus on ensuring that robo-advisers are acting in the best interest of clients and in compliance with applicable regulations, including their eligibility to register with the SEC and adherence with the requirements of Rule 3a-4. Seward and Kissel LLP, and our compliance consulting service SKRC (Seward & Kissel Regulatory Compliance), are available to assist investment advisers with the issues identified in the Risk Alert.