Skip navigation
SEC Seal Copyright Chip Somodevilla, Getty Images

Surprise! The SEC Is Here! Are You Prepared?

How RIAs should handle the SEC’s unannounced examinations.

By Brian Hourihan

In case you missed it, the U.S. Securities and Exchange Commission examiners in Boston, Mass. have been showing up at registered investment advisors’ offices unannounced to conduct “surprise” examinations. 

The SEC has been conducting these unannounced “surprise” exams to:

  • Better understand how an RIA operates when it thinks no one is looking.
  • Avoid situations where an RIA “cleans up” its compliance program and records after receiving notice of an impending SEC exam with a document request letter.

Lack of RIA Preparedness

This new SEC tactic has caused substantial concern among the RIA community given that, according to a recent survey, many RIAs believe they would flunk an SEC exam and their senior executives question their firm’s ability to satisfy SEC examiners’ expectations. These concerns are real.  According to the SEC, about 70 percent of SEC exams result in deficiency letters and around 10 percent are referred to the SEC Enforcement Division.

The RIA community’s angst is amplified by the lack of a clear understanding of the SEC’s 2017 exam priorities, and SEC Chair Jay Clayton’s note that the SEC will increase RIA exams by 20 percent in 2018 with focus on compliance of SEC regulations, including the SEC Cybersecurity Guidance.

What should Advisors do to prepare? 
Every advisor (RIA or not) should take a SEC Mock Exam to:

  • Test their compliance programs and regulatory controls.
  • Identify potential weaknesses in their compliance programs and controls.
  • Take appropriate steps to enhance those controls and update their policies and procedures.

SEC Mock Exam: Key Action Items

  • Engage an expert compliance consultant to manage a SEC mock exam, prepare assessment results, and partner with you to enhance your compliance program and controls, including your policies and procedures.
  • Review recent SEC exam request letter(s) and confirm that you have and/or can produce the requested documents and data.
  • Review any prior SEC communications, including any prior SEC exam deficiency letters; steps you took or would take to address any deficiency. If you did not address an identified deficiency, now is the time!
  • Review your current business model, including any changes in businesses, products, operations, and personnel, against your current controls, policies and procedures.
    • Run tests and assessments of your controls, policies and procedures against your current business model. Do your policies and procedures accurately reflect your business(es) and control structure(s)?
  • Assess the ability of your firm to promptly produce the documents and data the SEC requests.
    • Are your records readily accessible? Can you prepare requested reports promptly in the format requested?  Do you have the personnel and/or expertise to understand SEC information requests and “SEC hot buttons?”
  • Assess the ability of your employees from “line” to “C-Suite” to prepare for and respond to an SEC exam and the SEC examiners.
    • Have you educated your employees about proper “dos” and “don’ts” when preparing responsive written materials and/or responding orally to questions?
  • What project management skills do you and your firm have to appropriately manage a multiple-month SEC exam with multiple data requests?
    • How will you track the many responsive materials provided to the SEC, and the multiple follow-on document requests? Do you have a tracking matrix and the ability to “Bates Stamp” your responsive documents?
  • What expertise does your firm possess to work with the SEC during your SEC exam and to draft appropriate responses to SEC recommendations and observations to avoid being referred to the SEC’s Enforcement Division?
    • Hire an expert to partner with and manage your SEC exam to a successful and minimally invasive conclusion. The potential negative consequences are too great to do otherwise.

Brian Hourihan is Regulatory Compliance Officer at Gemini Companies

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.