How to Know Your Compliance Program Is Audit-Ready: A Checklist

Building an audit-ready compliance program is the dream. You know that your firm is prepared to meet any document request or regulatory inquiry with ease. You go to sleep each night confident that your firm is in compliance and your team is well-prepared to demonstrate that to the SEC.

It sounds terrific on paper, but how do you know you’ve built an audit-ready compliance program in reality? Here, we explore the signs your program is audit-ready and provide a checklist all CCOs can use to reach that goal.

Signs Your Compliance Program Is Audit-Ready

All audit-ready compliance programs share specific characteristics.

It starts with your firm’s culture. Everyone on the team promotes a culture of compliance. Compliance is not something to fear–it’s something to celebrate. All employees feel empowered to discuss the basics of robust regulatory compliance. This spirit of openness extends to the boardroom. Compliance has a seat at the management table and is included in all early business planning.

Similarly, the compliance team is empowered. CCOs and other compliance professionals have the autonomy and authority to do what they need to do. When they ask for necessary resources, leadership is happy to support them.

Finally, an audit-ready compliance program is proactive, not reactive. A firm with a healthy compliance culture builds an adequately-resourced program from a staffing, training, and technology and systems perspective.

Your Audit-Ready Checklist

Now that you understand the characteristics of an audit-ready program, you may be wondering how to get there.

The process is sequential. It begins with establishing appropriate processes and procedures and ends with creating a system where you can provide evidence of compliance at any time.

Walking through this checklist will help you understand current deficiencies in your program. Once you can check off all of these boxes, you can rest assured you have built an audit-ready firm.

1. Establish Your Compliance Processes

  • ☐ Design and implement a compliance program that adequately addresses your firm’s risks
  • ☐ Inventory and prioritize/rank the firm’s risks
  • ☐ Identify controls to help mitigate those risks
  • ☐ Create procedures to execute the controls
  • ☐ Perform your Annual Review, as per SEC Requirements, to ensure the controls are appropriate and functional, and to identify any new risks

2. Follow the Process

  • ☐ Assign the controls to owners responsible for executing at a defined frequency
  • ☐ Establish transparency in the completion of assignments
  • ☐ Retain evidence of controls testing

3. Train Your Team

  • ☐ Educate your colleagues on compliance processes
  • ☐ Run mock scenarios to coach responses to examiner’s inquiries (“no” is a complete sentence)
  • ☐ Ensure the team is confident in its ability to produce records/evidence as requested

4. Produce Evidence

  • ☐ Have the capability to identify and extract the relevant, in-scope records efficiently, accurately and completely, with supporting evidence
  • ☐ Produce statistics and summaries of trends (where the exceptions are occurring), which inform the strengthening of your control framework

Are you ready to build an audit-ready compliance program at your firm? Learn how the dynamic fintech combination of BasisCode and ORION can help you achieve that goal.

Compliance approval: 0939-OAT-5/27/2022

Solutions To Build an Audit-Ready Compliance Program

Several factors hinder a CCO’s ability to create and maintain an audit-ready compliance program. From resource constraints to lack of team-wide engagement, we talk about the range of barriers in our first blog in this series.

Fortunately, though, people and technology-based solutions can help CCOs overcome these hurdles and succeed in building a robust, audit-ready compliance program that suits their firm’s needs and meets regulators’ high expectations.

Here, we explore how a compliance partner and technology solution can combine to help CCOs build a comprehensive compliance program they can be proud of.

The Role of a Compliance Partner

Many organizations lack dedicated compliance resources or in-house compliance expertise. However, these firms are still held to the same regulatory standards as their peers. For firms in need of additional support, an external compliance consultant is a valuable partner.

Consultants can identify gaps and weaknesses in firms’ compliance programs to:

  • • Design an appropriately tailored program.
  • • Implement and execute the program through partial or complete outsourcing.
  • • Aid in exam preparation through mock examination exercises.

Preparing for an SEC exam is akin to running a fire drill. Consultants will offer services like a mock audit, where they assume the role of regulator and test your compliance program to validate a firm’s audit readiness.

Additionally, a consultant can coach staff on how to behave during a regulatory exam and respond to SEC inquiries. This guidance ensures firms follow mandatory processes and set a chain of command.

Where Compliance Management Technology Fits In

Compliance software promotes efficiency, enabling compliance professionals to quickly respond to numerous requests by leveraging a fully-integrated technology suite. The information accessible from a properly-implemented technology solution is robust, comprehensive and often exceeds an examiner’s needs.

A fully-integrated compliance technology solution can:

  • • Design and administer compliance tests, certifications and attestations across your organization.
  • • Maintain risk inventories, ratings and weights.
  • • Connect risks to their mitigating controls.
  • • Provide timely updates on new regulatory standards and expectations.
  • • Manage gift and entertainment reporting and monitor firm-wide limits.
  • • Automate paper-driven processes, including those around political contributions, advertising, and outside business activities.
  • • Organize and share compliance documents across the firm, virtually and securely.
  • • Coordinate and conduct internal audit processes.

The benefits of leveraging a compliance technology solution do not end today. Retaining access to data and statistical insights across a compliance program empowers that program in perpetuity. 

A compliance officer can easily recall what happened many months ago, make a qualitative assessment on how controls are working and determine if changes in the business model or regulatory requirements warrant any modifications.

Compliance programs must cover a lot of ground, so it’s easy to understand why a fractional CCO would struggle to manage the entire operation independently. But firms can’t afford to settle for “good enough.” Outside resources exist to support your internal compliance team. Even a small internal team can meet big regulatory expectations with the help of compliance consultant partners and innovative technology solutions.

Download our ebook to learn more about the pieces that come together to form an audit-ready compliance program.


Compliance approval code: 0936-OAT-5/26/2022

Common Deficiencies and Weaknesses in Compliance Programs

The SEC interacts with RIAs throughout the year, sending document requests and conducting exams. During these engagements, the Commission’s leadership begins to see patterns emerge. There are certain areas where many firms struggle to remain in compliance.

Through its Risk Alerts, the SEC actively communicates these exam observations. Over the years, the Commission has identified several common program deficiencies and weaknesses:

  • • Inadequate compliance resources
  • • Failure to implement tailored compliance procedures
  • • Failure to conduct and adequately document annual reviews
  • • Failure to adequately supervise employees
  • • Conflicts resulting from wearing multiple hats

The Commission has been vocal in its concerns regarding the role of compliance, the impact of exam preparedness (or lack thereof) and the impression they receive when witnessing firm inadequacies. 

These three underlying issues remain perennial concerns for the SEC.

1. Chief Compliance Officers Are Not Empowered

In November 2020, then Director of the Office of Compliance Inspections and Exams (OCIE, now EXAMS), Peter Driscoll, highlighted some of the ways in which CCOs are hindered in their ability to build and manage robust compliance programs.

While they are often tasked with creating policies and procedures to adhere to SEC guidance, those same CCOs may not receive the resources they need to execute on them. If CCOs are not given the budget to hire personnel or engage vendors with appropriate systems, the guidelines remain theoretical.

In other instances, CCOs are not included in the firm’s business processes early enough. Leadership must give compliance a seat at the table from day one in discussions regarding firm strategy, such as product development plans. When CCOs are not engaged in a timely manner, they miss out on the opportunity to effect change or identify preventable issues.

Finally, firms sometimes place responsibility on the CCO for an employee or officer’s individual failure to follow a firm policy or procedure. CCOs have the power to set policy, but they don’t have supernatural control over other people’s actions.

2. Incomplete Recordkeeping Leading to Poor First Impressions

We’ve all heard the maxim, “You never get a second chance to make a first impression.” That’s why it’s crucial CCOs greet the SEC with solid evidence of a healthy compliance program in their first interaction with regulators.

Unfortunately, the SEC reports that those first impressions of compliance programs are often weak.

In an October 2018 speech, SEC Commissioner Hester Peirce noted some common issues with recordkeeping and early meetings that erode the Commission’s trust in the firm’s compliance efforts.

It’s common for firms to scramble when they receive a document request. If the firm has to cobble together records reactively, rather than having them on-hand, its day-to-day compliance efforts are likely lacking.

Commissioner Pierce also notes that to identify something as abnormal, you first need to understand what normal looks like. Firms that struggle to create exception reports often lack a baseline understanding of compliance standards.

These issues with recordkeeping come together to create big headaches for CCOs, RIAs and their clients.

3. Chief Compliance Officers Are Overstretched and Underperforming

Even the most talented and competent CCOs only have 24 hours in the day. The SEC finds that many CCOs are overstretched, either in terms of resources or responsibilities (or both). As a result of this tension, important compliance matters can fall through the cracks.

In its November 2020 Risk Alert, the SEC identified two major hurdles overburdened CCOs often encounter.

In some firms, CCOs have other responsibilities and titles. Without a full-time focus on compliance, these individuals find it challenging to dedicate the appropriate time and attention to compliance-related matters.

As firms grow, their compliance operations must keep pace. Another significant deficit the SEC observed is firms’ failure to scale compliance operations to address a larger client population. It’s unreasonable to think that the same team that managed your compliance when you had $5 million in AUM will be able to handle compliance when your firm has $500 million in AUM.

While these challenges are real and pervasive in the world of RIAs, it’s not all bad news. There are several solutions CCOs can engage with to improve their compliance programs and reduce the burden that falls squarely on their shoulders.

Download our ebook to learn more about the solutions that can help you build an audit-ready firm.


Compliance approval code: 0936-OAT-5/26/2022

Hot Topics From the 2022 SEC Exam Priorities

Each year, the SEC releases its Exam Priorities toward the end of the first quarter. The document is a regular reminder that compliance is not a one-and-done endeavor. The world we work in is constantly changing, and regulatory expectations often shift to adjust to new realities.

Reflecting on the latest Exam Priorities can help compliance officers decide where to direct their energy in the coming year. Here, we dive into the SEC’s priorities released at the end of March 2022 and flag some of the areas CCOs should think about.

Standards of Conduct

The SEC takes its mission of protecting investors seriously. That’s why firms’ standards of conduct are a perennial focus of SEC Exam Priorities.

This year, the document was especially focused on ensuring firms are acting in clients’ best interests and communicating those efforts to clients.

Maintaining appropriate standards of conduct starts with fiduciary duty. The SEC reminds firms that the client’s best interest should be at the heart of every decision. Each investment must be considered with respect to a client’s risk tolerance, potential upside and downside, and costs associated with each asset.

It’s also crucial firms keep an eye on their internal actions. The SEC affirms that firms should be focused on managing conflicts of interest and staying honest about any incentives they receive for recommending certain products or strategies.

The final component of acceptable standards of conduct is sharing your firm’s practices with clients. You must disclose incentives. You must share information assembled for Form CRS and Form ADV with clients. That’s how they develop a clear understanding of how you run your business. Clients need to know about any potential conflicts of interest, disciplinary history, and fees and costs.

RIA and Broker-Dealer Regulatory Exams

For both RIAs and broker-dealers, the SEC’s regulatory exams focus on ensuring you have a robust, effective compliance program. The SEC wants to see programs with clear documentation, testing, and employee training.

For broker-dealers, the SEC places particular emphasis on:

  • ●The firms’ recommendations and sales practices around more complex or risky asset classes. This includes SPACs, structured products, leveraged and inverse exchange-traded products (ETPs), REITs, private placements, annuities, municipal and other fixed-income securities, and microcap securities.
  • ●Practices, policies, and procedures related to evaluating cost and reasonably available alternatives. Is your firm recommending products that are genuinely in the investor’s best interest?
  • ●Compensation structures for your team. The SEC is concerned with conflicts that these structures may create. If you are tapped for an exam, the SEC may focus on securities sales conducted by your highest-compensated team members.

For RIAs, the SEC is focused on:

  • ● Fiduciary duty. Are you acting in your clients’ best interest, providing impartial advice, disclosing conflicts of interest, and maintaining duties of care and loyalty? If you’re missing critical components of the standards of conduct guidelines outlined above, you’re likely not meeting the SEC’s expectations.
  • ● Advisory fee errors. This includes everything from a failure to adjust fees as promised in investor agreements, to mistakes in calculating tiered fees to a failure to refund prepaid fees on accounts that had been closed or pro-rated fees for new clients.

Information Security and Operational Resiliency

Technology is an essential part of business today. There are significant advantages to using digital solutions in your organization, but it also means you must have a plan to protect personal information and maintain operational resiliency.

The SEC expects firms to implement measures to prevent service interruptions and protect clients’ personal identifying information (PII).

There’s a lot to consider regarding technological risks, from creating secure client-facing accounts to establishing airtight connections between your distributed team in our new work-from-home reality.

On the client-facing side, you should:

  • ● Help clients maintain account security. Consider implementing features like multi-factor authentication for your accounts.
  • ● Verify investors’ identities and work to prevent unauthorized account access.
  • ● Prevent and disclose any account intrusions or data leaks.

Internally, it’s essential to:

  • ● Address any phishing scams or potential hacking incidents resulting from suspicious emails sent to your team.
  • ● Keep an eye on red flags related to identity theft, and communicate with clients about risks or leaks.
  • ● Respond to incidents promptly.
  • ● Establish best practices for your distributed team, such as using VPNs and secure cloud-based applications.
  • ● Vet the security practices of your vendors and service providers to ensure they meet your standard.

Even if you’ve read through countless SEC Exam Priorities of years past, there is always something new to focus on. Every firm has its strengths and weaknesses, so it’s wise for compliance officers to review the latest document with an eye toward SEC expectations your firm might struggle to meet. The best way to remain audit-ready is to be proactive about addressing regulatory concerns.


Filing Deadlines: How To Proactively Prepare

The start of the calendar year is a hectic time for compliance officers. There are numerous deadlines firms must hit, from Form 13F to Schedule 13D to financial statement state filings.

If you don’t already have a streamlined process for tracking and gathering the information you need for these filings, you’ve probably experienced a stressful past few months.

The bad news is that there are key filing deadlines to hit throughout the year, so the scramble could continue. The good news is that there are ways to proactively prepare for filing deadlines so you can hit them all without breaking a sweat.

Know Your Deadlines

This may seem obvious, but the first step to hitting your deadlines is knowing when they are. Some deadlines, like Form 13F, are the same for everyone–45 days after calendar year-end and the end of every quarter. Others are dependent on activities within your firm, like Form 8-K, which must be filed four business days after a triggering event.

Finally, some reports have different annual and quarterly filing dates based on firm attributes. Annual Report on Form 10-K and Quarterly Report on Form 10-Q set different due dates for large accelerated, accelerated, and non-accelerated filers.

Compliance officers must have a handle on when each of their filings is due. Creating one calendar for the compliance team with all key deadlines establishes a shared understanding of dates to hit.

With all of the deadlines in the calendar, you and your team can work backward to set internal dates for checking paperwork and reviewing forms before final submission.

For forms triggered by a specific event, it may be helpful to create a shared worksheet that you and the team can reference for reminders of requirements and deadlines when a triggering event occurs.

Gather Paperwork All Year

One of the major causes of panic around filing deadlines is the need to track down certain internal forms and paperwork. Often, relevant documents are stored on an individual’s hard drive and are not easily accessible to the CCO or other compliance officers.

Instead of waiting until the filing is nearly due, create a repository of necessary documents all year round.

This may start with drafting a shared checklist, where your team can see a list of the documents needed to complete each regulatory filing. Whenever someone on your team completes or obtains a necessary document, they immediately drop it into the shared file and check the item off the list.

This provides compliance officers visibility into where each filing stands and who has contributed. The CCO can rest easy knowing the forms are easily accessible, or they can track down team members who may owe relevant paperwork.

Monitor New Filing Requirements

Regulatory agencies often update filing requirements to address new concerns. For example, the SEC recently changed its Form ADV to fit the new marketing rules.

The world will continue to change around us, and the SEC and FINRA will adjust filing requirements accordingly. Compliance officers must remain abreast of the latest regulatory changes and make the appropriate adjustments to internal policies and procedures to ensure the team complies with these new expectations.

Setting a Google alert for SEC and FINRA risk alerts or press releases is one way to watch for new information. Certain compliance software tools, like BasisCode, will also issue alerts when relevant policy changes occur.

Choose the Right Tool

The pandemic has accelerated a global shift toward digitalization, and regulatory agencies are no exception. The SEC has proposed amendments to expand its online filing to make it more efficient for everyone involved.

In this new digital-first world, a comprehensive compliance tool is vital. A platform like BasisCode can not only achieve the above tasks–creating shared checklists, monitoring employee form submissions, and serving as a repository for necessary paperwork–it also makes digital filing seamless.

Form 13F can be compiled securely in the BasisCode platform and quickly submitted digitally to the SEC or FINRA. The platform will notify you when you have reached thresholds for other filings.

When you work in financial services, regulatory filing deadlines are a fact of life. Delaying your preparation won’t make them go away–it will only cause stress for you and your team. A proactive approach is the best way to ensure you hit your many filing deadlines throughout the year.


Why You Need To Document Your Compliance (And How To Do It)

Advisors wince at the prospect of an SEC or FINRA exam. The fear of the unknown is part of the apprehension. What will they look for? What if they find something? And how do we know we’re in compliance?

While you can’t foresee what aspect of your firm’s work the regulators may choose to audit, you can be sure that your exam will begin with a document request.

The documentation and records that you keep on your firm’s activities are how you know you’re in compliance. And perhaps even more crucially, that paperwork is how the SEC or FINRA knows you’re in compliance.

The best time to ensure your documentation is in place is before the regulators ever knock on your door. Here’s how to keep your documentation in order all year round.

Educate Your Team

Your Chief Compliance Officer – or the person given that responsibility – cannot be the only person in the firm who’s responsible for documenting compliance efforts. Each of your colleagues touches work that must be recorded. From their personal trading records to interactions with clients, every employee has a role in creating and maintaining compliance-related documentation.

That’s why a robust compliance program begins with education. Your team must be up-to-date on what paperwork is required by regulators.

CCOs can create training modules and quizzes to test the entire team on various aspects of regulatory compliance. Running skills and drills with your team ensures everyone in your organization is aware of these documentation requirements.

Regularly Audit Your Policies and Procedures

For CCOs, it’s not just about testing your team. You should be regularly testing yourself, too. That includes internal audits of your existing policies and procedures.

Start by setting dates in your calendar to review your written compliance policies quarterly.

The SEC and FINRA regularly release risk alerts and make policy updates. Each review session of your documentation should occur with an eye toward the latest information from regulatory agencies.

Is there something the SEC or FINRA has highlighted in a recent risk alert that you notice is lacking in your documentation? It’s not enough to say you’re committed to improving in that area–you need to update your written policies to create a more robust framework around those areas of concern.

Once you’ve updated your policies and procedures, it’s time to highlight those changes with your team. Any time you update your operations, run drills to get everyone up to speed.

Select the Right Compliance Tool To Maintain Your Records

Staying up-to-date on your firm’s paperwork and the latest regulatory expectations can be demanding. A comprehensive compliance tool can help CCOs automate certain processes and prevent tasks from falling through the cracks.

A robust compliance tool is designed to:

  • ●Create a secure, shared space for your entire team to access policy and procedure documents.
  • ●Track each team member’s individual paperwork around items including personal trading, gifts and entertainment, and client management.
  • ●Establish shared checklists so the whole team has visibility into the status of compliance-related projects.
  • ●Share risk alerts from regulatory bodies, so everyone is up on the latest expectations.
  • ●Build out a compliance calendar to ensure the team is working toward hitting all filing deadlines.

With all this information in one secure tool, CCOs know precisely where to go if and when a document request arrives from the SEC or FINRA. There is no last-minute scramble to hunt down paperwork stored on hard drives, in file cabinets around the office, or in folders at home.

An advanced compliance tool can eliminate some of the anxiety firm leadership feels around an exam request. While it’s impossible to know when one will come, knowing that your documentation is ready and waiting to meet any regulatory request provides peace of mind.


How To Create and Implement Compliance Policies and Procedures

Financial regulators are consistently updating guidance and laws to reflect the ever-changing reality of our modern financial system. Cybersecurity, robo-advising, and other technological advancements necessitate new rules and regulations.

Whenever the SEC or FINRA issue new rules or risk alerts, it’s incumbent upon CCOs to ensure their firms meet these updated expectations. The best way to maintain firm-wide compliance is to create policies and procedures to address these changes and then establish a culture of adherence.

If you manage compliance operations at your firm, here are some tips to keep your policies and procedures in line with the current regulatory moment.

Stay Up-To-Date on Regulatory Guidance

The SEC and FINRA consistently communicate their regulatory expectations to CCOs and advisory firms. In addition to their annual exam priorities, both regulatory agencies also issue regular risk alerts. These documents highlight gaps they’ve seen across firms they’re auditing and provide other CCOs with a heads up about regulators’ current concerns.

It’s crucial that all firm leadership, especially CCOs, remain abreast of regulators’ latest updates and guidelines. There are several ways to do this:

  • ● Set a Google Alert for SEC and FINRA guidance or policy changes.
  • ● Create a calendar reminder to periodically check the SEC or FINRA websites for newly released risk alerts.
  • ● Sign up for relevant industry newsletters.
  • ● If you are a BasisCode user, you’ll receive automatic updates in the system whenever a new regulatory alert is issued.

Review Your Policy Regularly

Once you know what the regulators wish to see from your firm, it’s time to proactively meet those expectations.

The first step in meeting new requirements is adjusting your current policies and procedures to address the guidelines. Each quarter, set aside time to review your policy and procedure documents and update them as needed.

Making updates is mandatory when a new law goes into effect, but internal policy should also be changed to reflect concerns regulators have flagged in risk alerts. If a regulatory agency tells you it’s essential to do something, your policies and procedures should mandate that behavior.

Taking steps to update your policy proactively means you will be in compliance long before becoming the focus of a regulatory exam.

Share New Documentation With Your Team

If a policy is changed on your hard drive and no one’s around to read it, does it make an impact?

The answer, of course, is no. And that’s why it’s just as important to share your new policies with your team as it is to create them.

Any time you update policies and procedures, take the following steps:

  • ● Send a message to your whole organization alerting them of the change.
    • ○ Share the new document in its entirety.
    • ○Include some bullets at the top, educating the team about substantive changes and how they affect each person’s workflow.
  • ● Create learning modules and quizzes to test your team’s understanding of new policies and procedures.
    • ○A robust compliance tool allows you to easily run trainings and test skills all in one place.

Create Checklists for Adherence

Once your team understands what’s needed from them, build guardrails to make sure they continually adhere to these new policies.

A comprehensive compliance tool can help you create shared checklists. You always have visibility into each team member’s work and can rest assured they’re ticking all of the compliance boxes (literally).

Take the new marketing rules as an example. One of the most substantive changes in this regulation is how testimonials are managed. Suppose your marketing team is used to the old workflow for gathering and approving client testimonials. A checklist that calls out new steps reflective of recent laws reminds them to systematically go through each new procedure.

Prepare for a regulatory exam or document request by being proactive. Updating your compliance policies and procedures in advance ensures you’re meeting regulatory standards long before the SEC or FINRA checks your work. Regular review and revision of compliance policies and procedures are hallmarks of a successful compliance program.


5 Benefits of an Integrated Compliance System

All robust compliance programs share a few key elements:

    • ● Thorough documentation
    • ● Up-to-date policies and procedures
    • ● Regular monitoring of firm activities
    • ● A well-trained and informed team

While this list looks short on paper, a lot of effort goes into ensuring your firm hits all of the requisite marks. When you’re a CCO, it’s up to you to execute flawlessly on these goals. Between regular filings and unexpected audits, you must be ready to demonstrate your compliance bona fides to regulators at any time.

Fortunately, today’s technology means you don’t need to go it alone. A comprehensive compliance program can help CCOs manage employee behavior, streamline training, create a clear paper trail, and monitor ongoing firm activities. Here are five of the ways an integrated compliance system keeps your firm’s compliance program on track.

1. Create a Centralized Information Platform

Regulators want to see documentation of your compliance efforts. Whether it’s paperwork to support a regular filing deadline or information associated with a document request, demonstrating compliance is much easier when all of your data is in one place.

An integrated compliance system houses your information under the same digital roof. If you need to pull your team’s gift and entertainment reporting paperwork, it’s in your compliance tool. 

Want to access your firm’s policies on marketing and testimonials? That’s in your compliance tool, too.

Keeping all of your compliance information eliminates the guesswork around where to find relevant documentation. An audit or document request is stressful enough without a mad dash to track down the paperwork you need. Maintaining your records in your compliance platform means you know right where to go.

2. Receive Automatic Updates

The other key component of documenting your policies, procedures and compliance activities is keeping your paperwork up-to-date.

This is no easy task if you’re managing it manually. You have training and certifications from your team, paperwork tracking employees’ trading and gifts and entertainment, firm-wide policies and procedures, and information on your clients.

With a comprehensive compliance platform, all of this information syncs automatically.

BasisCode uses a REST-based API that allows for easy integration with your other internal and third-party systems. Our app makes it easy for your team to update their information on the go, and our security features mean that your data is always protected.

BasisCode’s platform even pulls in up-to-date regulatory alerts so that you remain abreast of the latest expectations for your compliance program.

3. Undertake Constant Monitoring

Before the days of compliance technology, a heavy burden was placed on CCOs to monitor various documentation and systems manually.

Keeping a watchful eye on your employee’s personal trading is a prime example. With manual monitoring, individuals’ statements were reviewed periodically. If suspicious activity was detected, it was in previous months’ trades.

With a comprehensive compliance platform, this monitoring happens constantly and automatically. Now, red flags are spotted right away and can be dealt with immediately.

Regular, automated monitoring reduces the risk for delayed reactions and missed issues due to human error. Instead, CCOs can rest assured that problems will be flagged, and they can turn their attention away from tedious monitoring and toward more pressing compliance concerns.

4. Build a Shared Workspace

An essential component of a successful compliance program is keeping everyone on the same page. With an integrated compliance system, you can corral your team in one digital arena.

The benefits of a shared workspace go both ways. Your team can place all necessary documents in one location, meaning you always have access to the paperwork and information you need. 

Similarly, it empowers you as CCO to push out new and pertinent compliance information to everyone on your team. From the latest risk alerts to your firm’s new marketing policy, you know your entire firm is well-educated about your latest compliance updates.

And with a shared workspace protected by top-of-the-line security measures, there’s no need to worry about hackable Google Docs or email attachments. All documentation lives on a secure platform that you and your team can access from anywhere.

5. Manage Employee Training and Education

The final piece of a robust compliance program is ensuring that your team knows how to remain in compliance and can document their actions in real-time.

It’s not enough for you to share a new risk alert and assume your team will read it. An integrated compliance tool allows you to test your team on its knowledge.

With a tool like BasisCode, you can develop training and quizzes for your team to educate them about what compliance looks like in real-world scenarios. You can also create checklists to keep your team on track in updating any existing paperwork or procedures to comply with new rules.

All of this information is visible to you in a shared system. You always know where each of your colleagues is in their compliance journey. This empowers you to follow up with folks who need an extra nudge or provide additional training to individuals who are struggling to grasp a new compliance concept or expectation.

CCOs are expected to meet regulatory demands, monitor employee behavior, provide updates to firm leadership, and ensure everyone remains informed about the latest compliance alerts.

To succeed in building a robust compliance program, it can feel like you need to be in several places at once. An integrated compliance system allows you the next best thing, helping you keep an eye on your team’s behaviors, customer portfolios, and regulatory expectations simultaneously. Reach out to schedule your demo today!


New Marketing Rules: What CCOs Need To Do Now

In December 2020, the SEC announced the first substantive overhaul to Rule 206(4)-1 under the Investment Advisors Act in nearly 60 years.

It makes sense–a lot has changed since the 1960s. The new SEC marketing rules reflect the realities of how integrated digital marketing strategies allow us to engage with consumers.

The SEC finalized the rules on December 4, 2020, but they provided a compliance grace period for advisors. Come November 4, 2022, firms will be responsible for adhering to these new standards. 

Let’s explore the actions CCOs should take now to ensure they’re in compliance by the Q4 deadline.

Get To Know the New Rules

The new marketing rules change everything, including the very definition of the word advertising. 

According to the SEC, “The amended definition of ‘advertisement’ contains two prongs: one that captures communications traditionally covered by the advertising rule and another that governs solicitation activities previously covered by the cash solicitation rule.”

That first prong includes any direct or indirect communication from an advisor that’s offering investment advisory services to a client or prospect. Your email newsletter, social media posts, or blog content may fall under this umbrella. One-to-one communications are excluded, so personal emails or phone calls are not advertising.

The second prong focuses on compensated testimonials. It’s important to note that compensation need not be in the form of cash. If you offer a prize or reduced advisory fee–any sort of financial incentive–in exchange for a testimonial, it is considered compensation.

In terms of limitations, the SEC’s new marketing rules hold firms accountable for:

  • Making false statements, including statements that are false by omission or that cannot be substantiated. E.g., You cannot promise specific percentage returns to prospects.
  • Providing an unbalanced or unfair treatment of advice, risks, or limitations. E.g., You cannot present actual returns for an unusually strong year as if it represents what clients can expect from future performance.
  • Including any information that is otherwise materially misleading. Essentially, do not overtly lie or fudge the truth. E.g., You cannot say you have $500 million AUM when, in fact, you only manage $100 million.
  • Using testimonials and endorsements only if the firm shares specific details: Namely, the individual’s relationship to the firm and whether or not they have been compensated. E.g., If you hire Chuck Norris to advertise for your firm, you must make it clear that he is not a client and has been paid to appear in your advertising.

For a complete look at the SEC’s new marketing rules, see the SEC’s press release on the updated guidelines.

Audit Your Existing Advertising Assets

Once you’ve developed a comprehensive understanding of the SEC’s new marketing rule, it’s time to audit your existing advertising materials internally.

It’s crucial to be systematic in your approach. Testimonials may be tucked away in a downloadable white paper. Perhaps you have an old blog post that shares high-level year-end performance but omits data that are statistical outliers. Marketing materials considered out of bounds by these updated standards could be lurking anywhere across your firm’s digital footprint.

This content can be overlooked easily and cause headaches if you’re asked to account for your marketing materials. Build a checklist to work through all your marketing platforms so that your team can divide and conquer the internal audit process.

Modify Your Policies and Procedures

In addition to reviewing your assets, you must take a second look at your policies and procedures.

The first step is updating your internal policies to reflect the new marketing rules. Ensure your core marketing policies align with the SEC’s regulations. Remove any language that is ambiguous or runs counter to the new guidance. Consider incorporating the actual language from the SEC so your team can see firsthand what’s expected.

Once you have revised your policies, it’s time to adjust procedures to meet these new expectations. Creating checklists for your team can walk them through the new guidelines. Put guardrails in place so a second set of eyes evaluates every new piece of marketing against the SEC’s rules before it goes out the door.

Leaving execution to chance is a surefire way for old habits to creep in and derail attempts to meet new rules. Make it easy for your team to comply by providing them with a clear roadmap for success.

Test Your Team

Once your team has access to new policies and has received training on new procedures, it’s time for them to test their knowledge.

Rather than risking a costly mistake in the real world, use the time you have now–between the announcement of the rule and the expected November 2022 compliance date–to test your team in simulated situations.

Draft quizzes where you ask your team to identify problematic messaging in fictitious email newsletter copy. Write questions that challenge your team to think about what they’d do in a scenario where a colleague skips steps in the content development compliance checklist.

The best way to ensure real-world success is to create a safe space for your team to make mistakes. That’s why tests and drills can be valuable in helping your team learn the ropes of the new rules.

Document Everything

As all CCOs know, the devil is in the documentation. The SEC will not take your word regarding compliance; it expects to see clear documentation of your processes and procedures.

Part of documentation pertaining to marketing is developing a clear system for showing the compliance team has reviewed and approved all marketing materials before release. Creating a system where each approved piece of content receives a compliance code establishes a paper trail for your review process.

Any time the SEC–or any regulatory body–makes updates to policy, CCOs must take note. It’s not a cause for panic, but it is a time to pay careful attention to your firm’s current processes. 

Identify what needs to change, and take explicit steps to make necessary adjustments. Finally, don’t forget the importance of documentation in providing evidence of compliance with any regulation.

If adhering to the new marketing rules feels overwhelming, a comprehensive compliance tool like BasisCode, can help you keep track of the moving parts and hit crucial deadlines. Reach out to schedule your demo today.


What It Means To Be Audit-Ready in 2022

Uncertainty makes people uneasy. The anticipation of an SEC audit–not knowing if and when your firm might face one–is part of what makes it intimidating.

That’s why we advocate for building an audit-ready business. You can’t control if and when the audit comes. But if you’re always prepared to face one, there’s never a need to panic.

What does it mean to be audit-ready in 2022? We’re so glad you asked! We’ve compiled a list of risks the SEC is watching. Here’s what your firm should be thinking about, from outside risks like cybersecurity to internal compliance procedures like gift and entertainment disclosures.

Monitoring Digital Risks

The world grows more digitally-driven with every passing day. Relying on technology makes our lives more seamless, but it also introduces risk.

One significant liability that remains as a result of the pandemic is the one created by work from home. Financial firms have a duty to protect clients’ personally identifiable information (PII). When your team is distributed and information about clients must circulate outside your office walls, there is the threat of bad actors intercepting those communications.

Smart firms are implementing tools that allow their team to communicate safely and efficiently from afar. Virtual private networks (VPNs) are a must for distributed teams. 

Running vulnerability scans and engaging in penetration testing allows you to identify weaknesses in your security before an ill-intentioned outsider can. 

And features like single sign-on (SSO), multi factor authentication, and write once, read many (WORM) storage ensure your team can share PII without risk.

It’s just as vital that you educate your audience about cybersecurity risks. Encouraging your clients to use multifactor authentication and instituting CAPTCHA tools on your client-facing platforms empower your clients to protect their data when it’s in your hands.

Meeting New Expectations

The SEC’s new chair, Gary Gensler, stepped into his role in April 2021. With new leadership often comes new rules and expectations. We’ve already seen shifts in the SEC’s guidance for firms, such as the new marketing rule. And when its exam priorities are released in the coming weeks, we can expect to see the SEC voice additional concerns.

When new rules are handed down, you must shift internal policy and training to meet them. A compliance tool can help you update procedures and distribute them seamlessly to your team.

Training Your Team

The other piece of creating new policies is ensuring your team knows how to act under them. If your team doesn’t understand what complying with new rules looks like, your business is not audit-ready. Here’s where testing and drills come into play.

Compliance officers can design quizzes and mock scenarios to test each employee’s understanding of new guidelines. Drills are a quantitative way to assess your team’s audit readiness, and they allow CCOs to clarify misunderstandings and strengthen policies to address gaps.

Your team is only as strong as your weakest member, so take the time to get everyone up to speed on the compliance issues that can impact your firm.

Investing In Ethics

The SEC expects firms to implement a code of ethics. This document reinforces the importance of acting ethically on behalf of clients and the firm.

One of the SEC’s recent areas of focus has been on the behaviors of individual employees, not only the firm as a whole. To remain audit-ready in 2022, you must create a clear framework around your expectations of employee behavior.

Your gifts and entertainment policy and insider trading rules should be areas of focus. A compliance tool can help you communicate and enforce these policies, while also making the employee disclosure process seamless.

Aligning Compliance With Consumer Trends

ESG and robo-advising are two areas of investing that have gained significant attention from consumers in recent years. As advisors scramble to meet consumer demand, the SEC is taking notice.

Both ESG and robo-advising are new. Therefore, neither has clear regulatory guardrails around it. Expect that to change. As the SEC begins to identify potential risks in these two areas, they will create new guidance to mitigate them. Once the SEC issues a new policy, you must adjust to meet it if you wish to remain audit-ready.

As a compliance officer, it’s your job to stay on top of shifting rules. And when the rules change, you must review your old policies to make sure they meet new requirements. If they don’t, it’s up to you to adjust your approach and let your team know that things are changing.

There will likely be new trends and risks that emerge throughout the year that will catch the eye of the SEC. For compliance professionals who wish to remain audit-ready, it’s not about identifying every potential risk that may appear. It’s about building a system that empowers you to respond quickly to any possible shifts in policy. 

A comprehensive compliance tool like BasisCode helps you with everything from monitoring SEC expectations to setting new rules to ensuring your team is aligned with the latest expectations.

Schedule a Demo to Be Audit-Ready