Skip to main navigation

Regulatory compliance for registered investment advisors - An effective technology plan for investment advisors - EY - United States

Regulatory compliance for registered investment advisors

An effective technology plan for investment advisors

  • Share

Successful regulatory compliance will require IT to archive, maintain, report on and recall relevant operational data.

An effective technology plan for registration as an RIA should begin with a baseline current-state assessment of IT policies, procedures, risks and control activities.

The ultimate goal of this assessment is to identify and document necessary improvements in the key compliance technologies and related processes that your RIA compliance program.

When reviewing IT's current capabilities and capacity, focus on the following areas:

Electronic records management

Successful regulatory compliance requires a sophisticated ability to archive, maintain, report on and recall relevant operational data. Of all the IT focus areas, records management will likely be the most complex and challenging.

It entails capturing written and electronic records, historical data, data acquired through acquisitions and multiple copies of the same files that reside in different locations throughout the company. From the outset, compliance, operations and other stakeholders must work with IT to determine which systems contain the official books and records, a process that can be challenging.

Protection of investor data

Working with stakeholders throughout the company, IT should review its data protection and security and privacy policies to identify any gaps between existing security policies and SEC requirements.

With this information, IT can create a risk-based remediation plan to address these gaps through technology enhancements and procedural adjustments, such as expanding entitlement reviews to cover additional systems and privileges.

IT should track the progress of its remediation efforts closely to ensure that all procedural/ technology gaps are closed.

Email and IM retention

RIAs must be able to archive all email and instant message communications. Companies that do not have archival tools or third-party service providers in place should look to acquire these tools or contract with a specialty third-party service provider that can meet compliance's needs.

These tools should work seamlessly with existing security and archival systems and provide monitoring of load status, data purges and changes to key logging and retention settings.

Business continuity

Companies typically create business continuity plans for moments of crisis or temporary technological interruption, and IT is usually the steward. As the organization changes systems and procedures to support SEC compliance, it must update its business continuity plans to ensure that these changes are addressed.

A robust business continuity plan begins with the execution of a business impact analysis (BIA), updated periodically when changes to the business occur. The results of this BIA can be used to drive the development of the plan and to identify gaps in existing plans.

IT can then work with the business to prioritize remediation efforts, assign ownership and track progress made toward closing the gaps.

General IT controls

IT should make certain that it has formal and evidenced control processes in place for change management, logical and physical security administration, job/process scheduling, operations management, backup and recovery.

Working closely with members of the compliance team, IT must also create mechanisms — such as internal audits or risk and control self-assessments — to periodically evaluate the design and operation of these controls in order to continually identify potential regulatory gaps and close them.

Oversight of third-party service providers

IT general controls, security, business continuity planning and records management assessments should, naturally, include an examination of those third-party service providers currently working with the company.

After a thorough assessment of third-party service providers is completed, the results can be analyzed and integrated with the company's broader vendor-assessment effort.

<< Previous | Next >>

Back to top