Starting Your RIA – Registration and Compliance Requirements

Embarking on the path to becoming an RIA is an exhilarating time filled with opportunities and challenges, and our experts are here to guide you every step of the way. In Part 2 of our 2024 Starting Your RIA podcast series, we’ll dive into the registration process and essential compliance requirements:  

• Initiating Your Registration
• Individual Registration: Form U4
• Advisory Agreements
• Drafting Effective Contracts
• Compliance Manual
• Essential Policies
• Books and Records Management

By addressing these critical components, you’ll set a solid foundation for your firm’s success. Listen as we break down each of the following topics in detail, sharing insights and best practices to help you navigate the registration and compliance landscape with confidence.

Ensuring Registration and Compliance Success

Successfully registering as an RIA or broker-dealer requires meticulous attention to detail and compliance with numerous regulations.  Securities and Exchange Commission (SEC) registration involves developing a comprehensive compliance program and preparing detailed documentation. We’ll ensure all requirements are met efficiently and effectively. We also offer Outsourced Chief Compliance Officer (CCO) services, providing firms with the expertise needed.

Starting Your RIA – Additional Resources

Starting an RIA – What You Need To Know Before You Go

Growing Your RIA Business

Choose The Right Wealth Management Technology Core

Business Continuity and Disaster Recovery Plans

Transcript

Transcript provided by TEMI

Bob Mooney:  Welcome to the Oyster Stew podcast. I’m Bob Mooney, General Counsel for Oyster Consulting.  Starting your own Registered Investment Advisor firm is both thrilling and demanding. For those who are thinking about starting their own RIA, this week’s Oyster Stew podcast dives into the registration process and essential compliance requirements.  Oyster experts Brent Nicks, Candy Palugi and Nolan Hughes share insights and best practices to help you navigate the registration and compliance landscape with confidence. Let’s get started – Brent? 

Brent Nicks:  Hey, thanks, Bob. I’m Brent Nicks a director of Governance Risk and Compliance with Oyster. And I would like to welcome you to our second in the series on starting your RIA. Before joining Oyster, just a few years ago, I did spend a large part of my career doing what you may currently be considering, which is building and running an RIA. I’m here today with longtime colleagues in a former life during our careers, and current expert Oyster consultants, Candy Palugi, and Nolan Hughes. How are you guys doing today?

Nolan Hughes:  Doing well,

Candy Palugi:  Doing well, Brent. Thank you.

Brent Nicks:  Nolan maybe first really quickly, if you could maybe just give us a quick flyover of your background that’d be awesome.

Nolan Hughes:  Sure, Brent. I’ve got about 18 years experience in the industry, almost exclusively in compliance, ranging from bank broker dealers to regional dual registrant firms, solo RIAs as well as the aggregator RIAs.

Brent Nicks:  Good deal. And how about you, Candy?

Candy Palugi:  Yes. I have over 20 years’ experience in the industry, mainly at large broker dealer, RIA firms the most recent couple of years dealing almost exclusively with small independent RIAs. Half of my career was in the branch office environment branch operations manager, working with staff there directly in the sales field, and then the other half, latter half of my career working in compliance. And then more recently as CCO, as with consultant working at CCO, helping firms start up their new RIAs, et cetera.

Brent Nicks:  Thank you very much. I appreciate that. So, if for those of you listening to this podcast, you’re considering potentially starting an RIA and we’re going to talk about what that process for registration is going to look like for you. A lot of hurdles, a lot of things to consider. The first of which is initiating a registration with a regulator. And Nolan, I know you just went through this, so maybe if you could spend a couple of minutes talking to us about entitlements and getting that process started.

Nolan Hughes:  Sure. Brett, you know, the first thing that you’re going to want to do is gain access to the FINRA CRD system, the FINRA gateway. This allows you to set up your super account administrator, set up your entitlements, and ultimately make your initial ADV filing, which serves as your initial application for registration.

Brent Nicks:  We’ve got 50 states, plus 50 regulators, including the SEC. Anything to think about when you’re considering who you’re actually submitting this to?

Nolan Hughes:  Absolutely. Whether you’re state or SEC registered, that initial ADV filing contains the same information; but what may vary are the follow-on requirements that you receive from the regulator for which you’re applying.  Registration from each state may have different requirements. They could have different forms, different attestations, and different documents of yours that they want to see. Same goes for the SEC. So it’s really important before you get to that point, before you hit that submit button, that you’ve taken the time to look at the registration requirements within the jurisdiction that you’re applying for, to make sure you understand it and you’ve got all your ducks in a row.

Brent Nicks:  Yeah, absolutely. And of course, that gets us with the firm, and the firm’s not ready to go, of course, unless we’ve got individuals ready to dispense advice. So, Candy, what about the Form U-4?  With Nolan’s advice, we’ve got the firm going – what about the people that are going to work for the firm?

Candy Palugi:  Yes, also equally important.  So the Form U-4, which you utilize within the FINRA CRD system as well, but this is more on the individual side. Each individual who’s going to be registered with your firm, especially your key players in management, as the firm’s beginning, your first advisors with the firm, will need to complete a form U-4. Most, if experienced in the industry, will already have one on file. What you will be doing basically is looking at that information and then just converting it to your firm. But some important things you want to consider are if you’re bringing in new people whom you’ve never worked with before, or they’re not a piece of your core group, let’s say advisors, you definitely want to take a look at those U-4s and verify that information. You’re looking for disclosures, you’re looking for any prior history or any concerns, red flags, if you will, that may be in their history that you’ll want to vet and ensure that you’re comfortable with handling as you move forward.

Generally, firms find it very helpful to utilize some type of onboarding document, which requests that the prospect or the new hire complete all this information, answer a series of questions, provide you all of the personal background information you will need to complete this U-4. And then also within CRD, we can all now set up our own FinPro account, which is advised and it’s almost necessary now with continuing education, et cetera. But there’s also an e-signature capability within FinPro, which can allow you to electronically submit that U-4 in a draft form for your prospect to then take a look and actually e-sign through FinPro, kind of making the transition of the document back and forth a little easier.

Brent Nicks:  Thanks, Candy. One of the things I think is super important to remember about the U-4 process is, even if you’re a federal, you’re making individual representative application to the states. And a thing to remember as you’re getting your firm off the ground is each state deals with the admittance of both the firm and the reps a little bit differently. Some even have a more manual review process that may delay it by a few days. And remember, you can’t begin to provide advisory services until you’re actually approved to do so in the states. So, you want to take account of that as you’re registering your individuals there. So, you’ve got the firm, we’ve got our representatives getting properly established in the states, and now, we have to think about our clients.  Candy, I know over the firms we’ve worked at together and here at Oyster, we’ve seen a bunch of iterations of some call it the Advisory Agreement, some call it the Investment Management Agreement.

But in essence, it’s your contract to provide services for a fee to your clients. And first and foremost, I would say advice-wise, get counsel you trust. Because besides the investment aspects, it is a contract. So, you want to make sure that you have an engagement document with your clients that is designed for the services you’re providing, designed for your practice, applicable to the state or states in which you’re operating. And then as you get into it, and I’m going to mention a few areas in particular, then maybe Nolan, I’ll ask your thoughts on it a little bit too, is ensure that the contract, the agreement that you’re working with your clients is consistent with your practices.

So, anybody can provide you a standard advisory agreement, but you have to make sure that you’ve matched it up to your practices; that could be your billing practices. Are you billing in advance or in arrears? And how is that being calculated? Does the language of your agreement coincide with what you’re actually doing? How is discretion defined? Is it clear who has discretion? What actions can be performed without the client’s understanding or acknowledgement? And then of course, is the language in there also consistent with your regulatory documents, your form ADV and your form CRS as well?  I know I’ve seen this become a sticking point in exams. Nolan, what have you seen?

Nolan Hughes:  You know, what you see a good bit of is individuals may have it conceptualized in their minds, but they haven’t really put pen to paper. You can’t go into this without a full understanding of what your business plan is. What services are you going to offer? How are you going to engage those clients? How are you going to charge for those services and have it well defined? Not only will that create potential roadblocks in your application process, but it has a ripple effect through the creation of the other documents you just mentioned. The form CRS and your ADV, too, are disclosure brochures. So, make sure you’ve got a well-defined business plan. You’ve put pen to paper, you’re not operating off of an idea, you’re operating off of something that you know, you’ve memorialized and set in stone and be concise.

Brent Nicks:  That’s good advice. Candy, I know you’ve had a lot of opportunities to review and see a handful of examples of the kinds of engagements and contracts that firms are using. What advice might you have here?

Candy Palugi:  Yeah, one thing I’d like to point out is what we talked about earlier – whether you’re registering with the SEC directly or you’re registering your RIA with a state or multiple states, what I have found in my experience is, while the SEC will pretty much rely on you to have followed their rules, their guidelines on how you set up your investment contract, and that you have, as you said, Brent, sought good legal advice and counsel, and they are helping you set that up and ensure that it’s a solid legal document. But I have found with some state regulators, and it will vary by state, just depending on the regulator, but some state regulators have become very involved in the review of the actual investment management agreement, as well as the Form ADV, and provide significant feedback at times on exactly the type of language they want to see and exactly the type of language they don’t want to see.

So just keep that in mind, because that obviously can be a time constraint if, in one aspect with the SEC, things may go very smoothly, and you don’t have a lot of feedback necessarily; you get registered and you’re on your way. But with a state regulator, you may have a lot of back and forth with that regulator before you actually get the documents to where they’re comfortable with them. So that’s a good point to make. And then also it’s important to consider in your investment management agreement, that you put some type of clause in there to allow in the future that you can provide electronic delivery of disclosure documents and acknowledgement of delivery within this current execution of the initial investment management agreement.

Brent Nicks:  That’s a great point. That’s an excellent, excellent point. And also, as you’re thinking about efficiencies for your firm down the road, the ability to be able to be nimble regarding updating your form CRS, sending updated disclosures to your client without creating a massive physical mailing event, is, having been on the other end of that in a previous life, not a path you want to go down. I think the other thing that I would maybe ask for either of you to comment on, maybe Nolan, is, advisory services are defined by the agreement, and there may be a tendency in the industry to try to encompass all services under what I would call a cafeteria style agreement, where we’re trying to define the world and have it under a singular engagement.  With the clients that you’ve served in your roles in the past, what are your thoughts on having a, a singular agreement to provide services to your client or potentially targeted agreements to the services to be provided to a client?

Nolan Hughes:  I think it’s a little bit facts and circumstance. You know, if you have different services that are, for the most part, similar in nature, similar billing structure, similar engagement points, whether discretionary, non-discretionary, you could encompass a lot of that on a singular agreement. I think where people start running maybe a little off in the ditch is when they start trying to encompass vastly different services and service models and want an agreement.  That makes it very murky, makes it very difficult for a client to understand the exact services applicable to them. For instance, financial planning consulting that you may do off of a flat fee via invoicing versus ongoing portfolio management based off of a quarterly asset-based fee. Those are two vastly different service models with very different billing structures and entry points and exit points. My opinion has always been keep your agreements clear, keep them pointed so that it’s easy for the investor to understand the terms of their engagement with you. And if you’ve got multiple service models that are different, have a different agreement for that service model.

Brent Nicks:  And then back to, I think one of the original points that we made, is crosscheck always with your compensation style, your form CRS, your ADVs, make sure all of those dovetails together, particularly out of the gate as you’re considering starting that new firm. So, you’ve got your agreement ready to engage clients as you’re starting this process, getting your firm off the ground. But then there’s another number of other things that you have to have in place before you can really get out of the gates as a firm: your privacy policies, your Code of Ethics, your compliance manual, the requirements for a business continuity plan, a number of things. Maybe we can take a few minutes and think about some of those guys.

The privacy policy – you see so many firms that have a very boiler plated notice of privacy policies posted to their website. And while there is a lot of duplication, a lot of similarities to the way this is addressed across firms, I would just caution you as your new firm to consider your business model and all the parties that you have involved. Are those parties considered core to your business and your service provider? Is there any disclosure that you need to make in regard to what information about your clients you’ll be providing to whom? And are there any of those optional? Is there anything that’s in your business model that is designed not as the providing of the core service, but to a marketing aspect to which you really do need to provide the client an opt out opportunity for sharing of information that’s non-essential to the relationship that they’ve engaged? So that would be my one key point for you to think about as you’re developing an effective privacy policy that you have full and complete disclosure to your clients.

Candy, what about a compliance manual? You can get a template anywhere; that’s always a good starting point, but how do you make it yours?

Candy Palugi:  Yes. The compliance manual – a very, very important document as we are all aware, and when, not if, but when your regulator, whether that be the SEC or the state, comes in to examine your firm, this will be the main document along with your disclosure documents that they’re going to review. They’re going to really thoroughly review that compliance manual based on what their criteria, what they’re actually focusing on in that particular exam. And what you’ll need to do, to make sure you have a good, strong compliance manual, is first and foremost, as with all the aspects of putting all of these documents together, to consider your business model. You want to streamline your manual to specifically what you are doing in your firm. As Brent said, you could take a template, it’s a great start to have a good template that covers all of the general areas.

However, they may not all pertain to your firm and your business model at this time. So you’ll really want to pay attention to that and remove any language that’s not relevant or reduce it. If it’s just too much language in there, you know, going overboard with discussing facts that don’t necessarily need to be in that model. You should be clear and concise when you’re doing this detail, your processes, considering the personnel, the technologies that you have available. Again, don’t overcomplicate it. Just be pretty straightforward with what you’re doing and how you’re handling it. And the best thing, the best thing that I find is to take your manual, especially if you’re starting with a template, go through each section, section by section, discuss it with pertinent people in the certain areas that are handling it, such as your traders, your operations people, whoever are handling these aspects of the firm, you’ll want to talk with them to make sure that you accurately reflect what you’re doing and that you don’t say that you’re doing something that’s not going to be done.

I think that’s one of the most important things to consider in your compliance manual, is you could put something in there that states you are performing a certain review or signing off on something. And it could completely not even be related to a rule. It may just be something extra that someone or yourself has decided this would be a good idea to do. Well, if you put that in your manual, the regulator’s going to hold you to it. Even if you are not violating a rule by not doing it, they are going to hold you to it. Have you show them that you have actually done what you’ve said you’ve done. And if you’re not, that will be a finding. And so just consider those things. You don’t want to get yourself in a situation to have findings with regulators related to things that you are not even required to do according to the rules.

Brent Nicks:  No, that’s a good point. And I would say over my career that it was weighted way more frequently that the finding was based upon the contents of the firm’s own documents and their manual versus a specific deficiency related to a rule finding. And so, your point, I think, is well taken. Don’t understand your technology, understand your personnel, understand your business model, and build your manual. Do that because you’re going to have to have that ready again for day one for firm operations. So that’s an important part of your registration process. Nolan, I know because you and I spoke about it earlier today, we’re working on a Code that you were working on putting some finer points in and taking some of the sharp corners off. Would you, does the same thing apply to a Code of Ethics?

Nolan Hughes:  It does. The Code of Ethics rule has very specific requirements of what it must cover, and that’s where you need to start. You need to make sure your Code of Ethics meets the burden of the rule. And beyond that, you see some Code of Ethics that almost morph into policies and procedures and drift way off course. I think you have to be mindful of that, keep your policies and procedures and your compliance manual or your WSP manual and keep your Code of Ethics just to your Code of Ethics, with the understanding that those two supplement one another. And I think that’s an important point to keep in mind is each of those documents are supplementary to the other, right? So, you don’t have to, don’t be duplicative – keep what is necessary in each of them. And to Candy’s points, ensure that they are applicable to your business and factual.

Brent Nicks:  Correct. Absolutely. I think for the code, the important thing to remember as you’re building that initial document, and we’ll probably get into to this topic maybe in a later in this series of podcasts about RIAs, is developing your conflicts inventory, because that’s really what you’re addressing in this Code. Out of the gate, how do I need to address my employee’s political contributions? What do I need to monitor regarding their own transaction activity? And that’s going to depend on the firm, it’s going to depend on the service model you provide, the type of trading activities you do in house, and what information employees may have access to. Or your client base – are you dealing with municipalities or government entities? So there’s a number of considerations, and again, you can find a number of examples of codes of ethics available to you to help start your firm. But those need to be personalized to your firm and to make sure that you don’t have language in there that conflicts or is beyond what you need to be adhering to for particulars in your business practice.

I think probably one of the most difficult things for firms to consider, because it is just such a broad and nebulous concept, is this idea of business continuity planning, disaster recovery. What does all of this entail? What am I supposed to be doing? You can find a number of resources to assist you in building the basis of a business continuity plan, which again, you have to have that ready and understood and be able to be implemented on day one as your firm’s out. And things to consider, how many locations do you have? Are you single man or a small group shop that operates in in one location? Do you have representatives that are sitting in multiple locations? So, you have the complexities of call trees and communication channels, and what generically we refer to as muster points if something were to happen, where do you go all these considerations and what is the firm’s difference between short term and long term?

So, all of our short term and long-term events, things to think about for business continuity plans or BCPs. And then that’s got to be developed around who are your key personnel? Who absolutely, positively do we need to know where they are and are they available? Do they have access to resources? What kind of technology do you have? And the one thing also that I’ll remind you regarding developing your BCP is, what resources are available around you? What is your technology provider doing on your behalf? Your elected custodian also has a requirement to have a BCP and in many respects is going to assist your ability to be affected with your business continuity plan. And, they also have a responsibility to you and some of their responsibilities, what you are building into your BCP. So there’s a lot that goes into it. There’s a lot of thought, there’s a lot of discussion that needs to occur as you’re developing that plan. But again, one more item that you need to have up and going as you near your first day of operations. Nolan, with the BCP I mentioned a second ago technology providers, but your technology provider is also helping you protect the firm, its clients, its information. What should someone think about when they’re developing an information security policy, which is, again, something you need to have day one?

Nolan Hughes:  The industry is going further and further in the direction of cloud-based systems. The days of data rooms and server rooms are dwindling, making sure that you understand each technology that you’re utilizing. But having a full understanding of what information is flowing through that technology, where that technology is stored, how it’s protected, and, in the event of a business disruption, how can you access it? And that’s not a set it and forget it item. You have to consistently review and evaluate that on an ongoing basis to make sure you’ve got a full understanding of it and account for IT.

Brent Nicks:  Candy, what are your thoughts on what you have seen with your clients in regard to information security?

Candy Palugi:  Yeah, I agree with everything that Nolan said there. I think you have to pull in your IT provider – it is a very important resource there because they generally know all the backgrounds, they’re watching for what’s going to happen, what kind of security do you have in the background running on all your systems, which you will need to document within your information security. So, it’s important for you to have a good relationship with them and be able to communicate, and for them to provide exactly what they’re doing for you. I think another important part in the information security policy is understanding breaches. When a breach happens in our environment, it almost is definitive that it’s going to happen. So, to plan for that, what are you going to do if there is a large breach of client information?

And another thing you’ll need to consider in that aspect is, there are federal laws related to security breaches, and if you have some of your client’s personal information released during one of these breaches. But the states also individually all have their own laws around this. Whereas a certain breach may be reportable in one state, it’s not reportable in another state. So again, hopefully when you’ve chosen your IT provider, you’ve chosen someone who is familiar with breaches and state laws and things like that and how to handle them, or at least how to direct you in the right direction. And a lot of times you need to be prepared to bring in counsel as well, just depending on the significance of the breach.

Brent Nicks:  I agree. Completely agree. I think too, bring that thought back into the concept of our discussion here on registrations today is, we’ve said it before, consider your business model. Know the states that you’re operating in and know who your support is out of the gate so you can develop an effective InfoSec policy. And that needs to coordinate with the BCP, which we just talked about a moment ago. Those go hand in hand in a books and records area regarding electronic communications, archiving social media or other items that may be important to your practice.

An important thing to remember is, one of the things you are absolutely required to do independent of your firm and you can’t place reliance on anyone else, is the archival and oversight of your own communications efforts, your electronic communications efforts, your social media presence, your potential use of generative AI or large language models, which is a whole discussion on its own that we won’t get into today.

But as a firm early on, you have to identify the types of communication channels that you’re going to be using and identify a technology provider that’s going to be able to assist you in that archival effort because that is squarely on your firm. This is one of those areas of books and records where you cannot place any reliance on someone else. So super important to understand, and that should be on the punch list of day one items to go ahead and begin demos and, and efforts to determine what service provider is going to work for you.

So, with all of that said, all of that honestly sounds like a full-time job. And it is. It is. I think it very much is, with the clients that you guys are working with. Nolan I’ll go to you first. How does it make sense to deploy this as a new firm? You’re trying to build it, you’re trying to grow it. Oh, by the way, here’s all these things that we just talked about today. How do you manage through that?

Nolan Hughes:  Well, I think you have to be realistic about your current resources. And that’s human capital resources as well as technology resources. Quite a few individuals start off down this path kind of as a one man or one-woman band, wearing all the different hats, and eventually all come to the same realization. You can do one thing very well, maybe two things very well, but hardly anybody does everything well at the same time. Know what it’s going to take to run a firm. You’re no longer just running a practice or a book of business. You’re now responsible for a firm and there’s a lot more that goes into that. Identify those compliance and operational tasks and take stock. What do you have in current resources with other staff? If it’s more than just one individual, what do you have in technology to help streamline that as much as possible and consider the utilization of you know outsourced resources to provide that additional bandwidth when necessary so you can focus on what you’re really good at without sacrificing the other very important firm level and back office functions that are required now.

Brent Nicks:  I very much agree. Candy, do you have anything to add to that? I think Nolan summed it up pretty well.

Candy Palugi:  Yes, I think he did too. I don’t really – I just think, to reiterate how important it is just to make sure, as you both have said, you have to be ready to go on day one. So as soon as you are approved, your registration’s approved, whether that’s federally with the SEC or with a state, day one starts your clock ticking for when they come into your office to examine you. They’re looking at day one – did you have your compliance manual ready? Have you started doing all of these reviews, your code of ethics, attestations, things that you should be doing from day one? What have you been doing with your social media and your off channel communications, whatever was there day one matters? I think it’s important to realize you don’t really have time for a learning curve, if you will, to get right on the compliance side.

So if you don’t have a strong compliance background person in your firm with you to assist you, I think you need to be realistic and realize that your focus, if you are the advisor as well as many other hats you’re wearing already, your focus is going to be getting some revenue coming in, getting your business going, things like that. And it’s very important to make sure you have somebody who’s at the same time handling the compliance side. I think that’s where an outside resource comes in very handy. You can get partners who can get you going strong, set up a good strong compliance program for your firm, and make sure you don’t have any issues.

Another note to make is, as I’ve seen with the firms I’ve worked with, the firms that I’ve helped get started here at Oyster, is the current SEC has an initiative going where they are attempting to see every new approved RIA within the first year. And sometimes for my firms, that’s been four months, or that’s been six or eight months, but they’re coming in and they’re doing a kind of a very high-level review, and they’re looking at all of these documents that we just spoke of to make sure you have what you need and that you’ve been doing all of the things you should be doing.

Brent Nicks:  I don’t disagree. I’ve dealt with two of those in the last 12 months, so I can absolutely confirm that’s what’s going on. Nolan, what do you think about that?

Nolan Hughes:  Well, to add on to Candy’s point, when they get that initial examination and, Brent Candy, I know you have both heard this time and time again just as I have, but you get individuals that have started their firm and they thought they had a good beat on things. They get that initial examination and it’s always the same thing. “I realized I didn’t know what I didn’t know.” You see that play out over and over and over, and I don’t think a lot of people have a true appreciation for making that transition from managing a book of business to running a firm and the entire compliance function that goes with it. Which brings us back to the original part of this segment, is make sure you have the appropriate resources and knowledge in place to ensure an effective and diligent compliance program.

Brent Nicks:  Do not disagree, or, as my grandmother probably would’ve said to all of this, measure twice, cut once.  But understand your core competencies, understand your metrics, understand what the risks are as you’re getting out of the gate and where you have core competencies within your organization to address them. By all means, that’s where that needs to stay. But where you can find opportunities to use a fractional or other resources to provide you lift out of the gate and in this time period in the evolution of your firm is probably the most important time, because it’s going to set the tone for everything else. But I really appreciate Nolan, Candy, your time here today. I know the three of us would probably talk about this for hours, but I do hope that we get an opportunity to expand on this in a future podcast on this area. We appreciate everyone listening in today, and we hope to see you and talk to you again very soon.