Legal & Compliance Considerations When Hiring Into an Advisory Firm

Posted on Chris Stanley

With any luck (and lots of hard work), the founder of a financial advisory firm will inevitably be confronted with the following realization: I need to hire someone.

As a firm grows and matures, and the founder spends comparatively more and more high-value time actually rendering advice and managing client relationships, less time is available for the millions of other things that are still required for the long-term success of the business. And – as disappointing as this is – time is still a finite, zero-sum game.

After every last minute of time has been squeezed from the fruit of one’s own efficiency and with firm revenues that can hopefully support expansion, there’s really only one solution: recruiting help to fill more seats to get stuff done.

The addition of another person to an advisory firm is no small decision, and much consideration should justifiably be dedicated to ensuring such a person will be the right fit from a personality, capability, and growth perspective. In addition to the soft skills that eventually need to be considered, though, there are also legal, compliance, and information security requirements appurtenant to any new hire decision that are important for growing firms to understand before they even consider onboarding new people.

Whether retaining a full-time advisor, a part-time paraplanner, or a virtual administrative assistant, the same legal, compliance, and information security considerations will at least need to be considered in light of the person’s job function, and their access to nonpublic information about the advisory firm’s clients.


Investment Adviser Representatives (IAR) Qualification And Licensing/Registration Requirements

The specific services that a new hire is to perform will have a direct bearing on whether the individual will need to meet specific requirements to become an Investment Adviser Representative (IAR) of the advisory firm. Notably, though, whether a new hire is deemed an IAR first depends on whether the advisory firm is registered with the SEC or with their state.

IAR status is important to consider in the hiring process for both SEC- and state-registered firms because states generally impose qualification, licensing, and registration requirements on IARs. The “qualification” aspect refers to the passage of the Series 65 exam, or the Series 7 plus Series 66 exams. Obtaining a qualifying professional designation (e.g., the CFP marks, as well as the ChFC, CFA, CIC, and the CPA/PFS designations, which are listed in Section 8 of Form U4) can also supersede the need for an exam.

The “licensing and registration” aspect refers to the filing of a Uniform Application For Securities Industry Registration Or Transfer, known as Form U4, to associate the person as an IAR of the advisory firm.


IAR STATUS OF SEC-REGISTERED INVESTMENT ADVISER FIRMS

Firms that are registered with the SEC trying to determine if new team members must be qualified, licensed, and registered as an IAR should first look to the Federal definition of “Investment Adviser Representative” found in SEC Rule 275.203A-3, which provides the following definition:

(a)

  1. Investment adviser representative. “Investment adviser representative” of an investment adviser means a supervised person of the investment adviser:
    1. Who has more than five clients who are natural persons (other than excepted persons described in paragraph (a)(3)(i) of this section); and
    2. More than ten percent of whose clients are natural persons (other than excepted persons described in paragraph (a)(3)(i) of this section).
  2. Notwithstanding paragraph (a)(1) of this section, a supervised person is not an investment adviser representative if the supervised person:
    1. Does not on a regular basis solicit, meet with, or otherwise communicate with clients of the investment adviser; or
    2. Provides only impersonal investment advice.

This is a somewhat quirky definition in that it affords a de minimis level of client interaction before IAR status is triggered, and it carves out supervised persons that don’t perform client-facing duties on a regular basis.

Even more interesting is that the definition does not detail what it means for a person to “have” a client, or what types of services must be provided before IAR status is triggered. One can argue that the specific exclusion of “impersonal investment advice” should be read to mean that if personal investment advice is rendered to a client, such a client would count for purposes of assessing potential IAR status.

Suffice it to say, however, that mere communication or meetings between a non-advisory administrative assistant or operational staff and a client would not cause the assistant or staff to be deemed to “have” a client for purposes of the definition. It seems logically implicit that “having” a client would only be ascribed to those rendering investment advice (such as primary and associate advisors).

It should also be noted that the SEC does not actually qualify, license, or register IARs at all. Thus, even if a person meets the definition of IAR under the SEC’s definition, the SEC itself does not have a statutory mechanism to qualify, license, or register IARs themselves; it is not the SEC that imposes the U4 filing requirement or the Series 65 (or Series 7 plus Series 66) exam requirement. Such IAR qualification, licensing, and registration requirements are wholly delegated to the states.

So can SEC-registered firms completely ignore state qualification, licensing, and registration requirements of IARs? In short, no.

While no state can impose its own registration, licensing, or qualification requirements on supervised persons of an SEC-registered firm that do not meet the SEC definition of IAR or do not have a place of business in such state (a Federal preemption borne out of the National Securities Markets Improvement Act of 1996, commonly referred to as “NSMIA”), a state may license, register, or qualify any person that meets the SEC’s definition of IAR and who has a place of business located within such state (see Section 203A of the Investment Advisers Act of 1940, also referred to simply as the “Act”).

Said another way, a new hire in an SEC-registered firm who meets the SEC definition of IAR and who has a place of business in a particular state will generally be subject to that state’s qualification and licensing/registration rules.


IAR STATUS OF STATE-REGISTERED INVESTMENT ADVISER FIRMS

The requirements for SEC-registered firms, and the SEC definition of IAR, are in stark contrast to those for state-registered firms, whose definition of IAR is under a much more clearly articulated net.

When it comes to IARs of state RIAs, the North American Securities Administrators Association (NASAA) offers a helpful summary of how most states’ define IAR (for context, NASAA represents state and provincial securities regulators in the United States, Canada, and Mexico primarily by providing guidance and model rules for the various states to adopt or tweak at their discretion):

Most states follow a definition of investment adviser representative similar to that in the Uniform Securities Act. An investment adviser representative generally is a person who, for compensation (1) makes any recommendations or otherwise renders advice regarding securities; (2) manages accounts or portfolios of clients; (3) determines which recommendation or advice regarding securities should be given; (4) solicits, offers, or negotiates for the sale of or sells investment advisory services, or (5) supervises employees who perform any of the foregoing.

Any of the enumerated activities, regardless of the number of clients to whom such activities are directed, would sweep a person under the definition of IAR for state law purposes.

In contrast to the SEC definition, which identifies an IAR as someone with more than 5 clients (with more than 10% who are “natural persons”), there is no de minimis threshold and no exclusion for the irregular performance of such activities for most states. However, when it comes to states, it’s much clearer as to what constitutes “having” a client that would require becoming an IAR: advising and managing portfolios, or soliciting clients for those services (or supervising those who advise or solicit).

Ultimately, state-registered firms should consult their specific state(s)’s definition of IAR (which typically maps to the broader Uniform Securities Act definition referenced above) to assess nuances that may need to take into account for their new hires; unfortunately, this means that multiple states’ definitions may need to be consulted if the firm is registered in multiple states and/or the new hire will live and/or work in a state that the firm is not yet registered.


CONSIDERATIONS FOR DETERMINING IAR STATUS FOR BOTH STATE- AND SEC-REGISTERED FIRMS

From a practical perspective, the following activities of a new hire would likely trigger IAR status for both state-registered and SEC-registered firms:

  • Rendering personalized investment advice to a client;
  • Managing client investment accounts, or otherwise making trading decisions;
  • Solicitation of new clients for the advisory firm; or
  • Supervising other IARs (at least under the state’s IAR definition).

In contrast, the following activities of a new hire would likely not trigger IAR status:

  • Performing solely administrative, clerical, or support functions;
  • Pre-populating custodial account paperwork;
  • Entering client-supplied information into financial planning software for an IAR’s review and delivery to a client;
  • Entering trades into an order management system, if such new hire is simply following the trade instructions developed and approved by an IAR (i.e., the new hire is simply an order-taker and has no discretion to change any trading instructions provided); or
  • Purely having access to sensitive client information, client investment holdings, or the investment recommendations delivered by an IAR to a client.


Supervised Persons And Access Persons Require Different Levels Of Compliance Oversight

Regardless of whether a new hire is an IAR or not (or whether they are a W2 employee or 1099 independent contractor, as discussed below), an advisory firm should assess whether the new person will be considered a “supervised person” and/or an “access person”, as this status will impact the extent of compliance oversight and reporting required for the new hire. Additionally, advisory firms are expected to maintain an ongoing and current list of all supervised persons and access persons associated with the firm.

The terms “supervised person” and “access person” are specific to SEC-registered advisory firms, but certain states have adopted similar concepts using alternative terminology such as “associated person”.


SUPERVISED PERSONS ARE SUBJECT TO A FIRM’S FULL SCOPE OF COMPLIANCE AND ETHICS POLICIES

The Investment Advisers Act itself contains the following definition of supervised person:

…any partner, officer, director (or other person occupying a similar status or performing similar functions), or employee of an investment adviser, or other person who provides investment advice on behalf of the investment adviser and is subject to the supervision and control of the investment adviser.

Admittedly, the comma placement within this definition makes it somewhat subject to interpretation, leaving the universe of “supervised persons” to be broadly construed.

All partners, officers, directors, or similarly functioning personnel are clearly supervised persons, as are all persons who provide investment advice on behalf of the advisory firm. The distinction may not be as clear, though, with respect to other employees, and specifically non-IAR, non-partner/officer/director personnel that are classified as independent contractors.

The Form ADV Glossary offers some insight by shedding light on employees and when they should be regarded as supervised persons who are subject to the firm’s compliance policies and procedures. Specifically, the glossary includes independent contractors that perform advisory functions on behalf of the advisory firm in the definition of “employee”.

By extension, this stands to reason that a new hire classified as an independent contractor who does not perform advisory functions (e.g., is administrative in nature), and who is not otherwise a partner, director, officer, or similarly functioning person, is not necessarily a supervised person of the advisory firm.

Firms should be cautious about taking undue advantage of this apparent carve-out that may suggest when an independent contractor is not a supervised person, as the implications are not insignificant.

The scope of who is determined to be a supervised person is important primarily because supervised persons are subject to the full brunt of the advisory firm’s compliance policies and procedures, and most, if not all, sections of the advisory firm’s code of ethics, as required by SEC Rule 206(4)-7 and SEC Rule 204A-1, respectively.

It is additionally important because one of the conditions for being deemed an “access person” is that such a person first be deemed a supervised person. In other words, all access persons are supervised persons, but not all supervised persons are access persons.


ACCESS PERSONS ARE SUPERVISED PERSONS WITH ADDITIONAL REPORTING REQUIREMENTS

The term “access person” is borne out of the SEC’s Investment Adviser Code of Ethics (Section 275.204A-1), which offers the following definition:

Access person means:

  1. Any of your supervised persons:
    1. Who has access to nonpublic information regarding any clients’ purchase or sale of securities, or nonpublic information regarding the portfolio holdings of any reportable fund, or
    2. Who is involved in making securities recommendations to clients, or who has access to such recommendations that are nonpublic.
  2. If providing investment advice is your primary business, all of your directors, officers, and partners are presumed to be access persons.

Any new hire that is determined to be an access person is subject to the personal securities account-reporting requirements contained in the SEC’s Code of Ethics Rule, which, in turn, means that initial securities holdings reports, annual securities holdings reports, and quarterly transaction reports must also be reviewed by the advisory firm’s chief compliance officer or other designated personnel.

The most difficult new hire to classify as an access person is an independent contractor who does not render investment advice on behalf of the firm, as if they are not a supervised person, they cannot be an access person either (whereas all those classified as employees, regardless of job function, along with all IARs, are clearly included under the supervised person definition to then determine if they are an access person).

For example, an independent contractor hired as a paraplanning or operational assistant that would otherwise be deemed an access person, except for the fact that they don’t meet the threshold definition of supervised person, would seem to pose the biggest misclassification risk from a regulatory perspective. Advisory firms should closely assess whether a new hire’s independent contractor status is truly justified before carving such a person out as a non-supervised (and subsequently non-access) person.


A BRIEF WORD ON W2 EMPLOYEES VS 1099 INDEPENDENT CONTRACTORS

There are a few threshold decisions that need to be made at or close to the outset of the new hire process, not the least of which is whether to retain a full-time W2 employee or whether to instead retain a 1099 independent contractor.

The legal and tax implications of this decision are beyond the scope of this article (particularly since they can vary state-by-state, complicated by the overlay of Federal rules), but firm owners should, at a minimum, consult the IRS article “Independent Contractor (Self-Employed) or Employee“, and the hyperlinked additional resources and definitions therein.

In brief, the primary consideration is the extent of control or independence that a new hire will have in the course of performing services for an advisory firm. While not the only factor in the W2 employee versus 1099 independent contractor analysis, control is an important point in the ultimate classification decision. The IRS offers this guideline about control to distinguish employees and independent contractors:

The general rule is that an individual is an independent contractor if the payer [e.g., the advisory firm] has the right to control or direct only the result of the work and not what will be done and how it will be done.

From a securities law perspective, though, the W2 employee versus 1099 independent contractor determination is not viewed through the same lens. For example, the IARD’s Form ADV Glossary defines the term “employee” to include independent contractors that perform advisory functions on behalf of the advisory firm.

This means that advisory personnel (i.e., generally those providing advice, managing portfolios, or soliciting clients for those services) that are independent contractors should be included in the Form ADV section that asks about advisory firms’ employees (Part 1A, Items 5A and 5B).

Which, in turn, means independent contractors can also fall under the definition of “supervised person” and then “access person”, potentially subjecting them to the firm’s compliance rules and code of ethics, along with additional reporting requirements for the firm.

Notably, the November 9, 2020, SEC Risk Alert, “Observations from OCIE’s Examinations of Investment Advisers: Supervision, Compliance and Multiple Branch Offices” indirectly discourages firms from treating independent contractors differently from employees from a supervisory perspective, and recommends that advisers instead adopt and implement written compliance policies and procedures that apply to all office locations and all supervised persons, “regardless of whether these individuals were independent contractors or employees of the adviser.”

While Section 1 of Form U4 specifically asks whether the IAR to be associated with the advisory firm has an independent contractor relationship with the firm, it’s not clear whether there are any specific implications of answering “yes” or “no” to this question. It may be included primarily for regulatory information gathering and statistical analysis purposes.


Information Security And Client Privacy Obligations

Once all preliminary new hire classification decisions have been made as described above, and the advisory firm has identified any supervised persons subject to the firm’s compliance policies and procedures and code of ethics, and access persons subject to personal securities reporting obligations, the firm should next evaluate the nature and extent of information security controls it will utilize to safeguard Nonpublic Personal Information (NPI) about its clients, and how such controls will be applied to the new hire.

Such controls could involve some of the following examples:

  • Assessing if the new hire will solely perform services from within the advisory firm’s office, or whether they will be permitted to work remotely using a virtual private network or by logging into the advisory firm’s server;
  • Identifying the systems and tools the new hire would need to perform their job functions, and what security controls would be in place and activated;
  • Determining which communication mechanisms the new hire will utilize, and whether/how NPI is to be communicated through such systems (such as email, phone, internal messaging service, video conferencing technology, etc.); and
  • Deciding whether the new hire will be permitted to use their own personal device(s) and access NPI from such device(s), or whether the advisory firm will issue its own hardware to the new hire.

Importantly, information security controls should be in place for both electronic and non-electronic data to protect client NPI. As while many advisory firms have evolved into a primarily electronic or paperless environment, cybersecurity controls can be rendered moot if, for example, an advisory firm leaves sensitive printed documents or mail unsecured in an unlocked office overnight or on the weekend.

Ultimately, the goal of an information security program is to safeguard all client NPI that an advisory firm has obtained; information security controls are simply a means to that end.


HOW REG S-P SAFEGUARDS CLIENTS’ NONPUBLIC PERSONAL INFORMATION (NPI)

The components that constitute client NPI are surprisingly convoluted, but at a high level, Reg S-P posits that NPI includes any of the following:

  1. information that a client provides to the advisory firm to obtain a financial product or service;
  2. information about a client as a result of any transaction involving a financial product or service between the advisory firm and the client; and
  3. information the advisory firm otherwise obtains about a client in connection with providing a financial product or service to that client.

This is an intentionally broad definition, but Reg S-P does present certain exclusions and carve-outs that are beyond the scope of this article.

The regulatory nexus of an advisory firm’s obligation to safeguard client NPI is Regulation S-P (Reg S-P): Privacy of Consumer Financial Information and Safeguarding Personal Information. Specifically, Section 248.30(a) of Reg S-P requires every advisory firm registered with the SEC to:

…adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:

  1. Insure the security and confidentiality of customer records and information;
  2. Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
  3. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

There is a nuanced definition of who is considered to be a “customer” of an advisory firm for purposes of the Reg S-P safeguarding requirement, but generally, customers are considered to be clients to whom the advisory firm provides one or more financial products or services that, “are to be used primarily for personal, family, or household purposes” (which is language some readers may recognize from the recently adopted Form CRS).

The takeaway is that advisory firms should have written policies and procedures describing how they protect their clients’ NPI… and should actually carry out the tenets of such policies and procedures. This is the case even for solo advisory firms that have not yet retained their first new hire. Once a new hire is brought into the fold, the question becomes how the advisory firm can permissibly share client NPI with the new hire without violating Reg S-P or its information security policies and procedures.

In this instance, the answer implicitly depends on whether the new hire is classified as a “nonaffiliated third party”. In this context, an “affiliate” is a company that controls, is controlled by, or is under common control with the advisory firm (including the employees of those businesses), and any other third party is a “nonaffiliated third party”.

Thus, Reg S-P does not specifically distinguish between W2 employees or 1099 independent contractors, IARs or non-IARs, or even supervised persons or access persons; instead, the rule is simply that those who are employees of the RIA itself (or its direct affiliates) fall under the affiliate definition, and anyone else is a nonaffiliated third party.

The distinction of affiliates (and employees of affiliates) versus nonaffiliated third parties is important because affiliates (and employees of the advisory firm itself) are already subject to the general fiduciary obligation to protect their clients’ private data, whereas Reg S-P specifically pertains to when client NPI is shared with a nonaffiliated third party. Which means that the client NPI shared with a nonaffiliated third party will be subject to the initial and ongoing privacy notice requirements of Reg S-P, as well as potential opt-out requirements and limitations on use. Client NPI shared with someone other than a nonaffiliated third party is not subject to the same requirements or restrictions.

As applied to the spectrum of potential new hires, this effectively means that any independent contractor with whom client NPI is to be shared will be considered a nonaffiliated third party and will be subject to the privacy notice, opt-out, and use limitations prescribed by Reg S-P. While employees of the advisory firm, on the other hand, are de facto affiliates of the advisory firm, and thus client NPI sharing with employees does not trigger the same Reg S-P implications.

So does this mean that advisory firms have to give clients an opportunity to opt out of the sharing of their NPI with nonaffiliated third parties or otherwise obtain their active consent to such sharing in each instance? This would seem exceedingly cumbersome and impractical, especially given the potential universe of third parties that would need to be accounted for (such as the advisory firm’s custodian, financial planning software provider, outsourced virtual assistants, independent paraplanners, etc.).


EXCEPTIONS TO REG S-P REQUIREMENTS FOR NONAFFILIATED THIRD PARTIES

Luckily, there are a few meaningful exceptions built into Reg S-P that streamline the sharing of client NPI with nonaffiliated third parties that can guide firms on how to handle information-sharing without requiring a separate consent form or providing an opportunity to opt-out.


Third Parties Under Contractual Agreement

The first exception, detailed in Section 248.13, eliminates the consent/opt-out requirement that would otherwise be imposed if the advisory firm shares client NPI with a nonaffiliated third party that offers services to (or operates on behalf of) the advisory firm if the firm meets the following two requirements:

  1. Provide the initial [privacy] notice in accordance with §248.4; and
  2. Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in §248.14 or §248.15 in the ordinary course of business to carry out those purposes.

Thus, if an independent contractor is hired to perform services for or functions on behalf of the advisory firm and contractually agrees to use any client NPI solely for the purpose of fulfilling its services for the advisory firm, client NPI can indeed be permissibly shared with the independent contractor without affording the client a separate consent/opt-out right, provided that the advisory firm delivers its standard initial client privacy notice.

A far-from-exhaustive list of such permissible services and functions could include the following activities:

  • Entering client NPI into a CRM system, financial planning software, investment policy statement, or custodian new account opening form;
  • Developing an asset allocation, placing trades in an order management system, or designing a financial plan;
  • Managing an advisory firm owner’s email, calendar, workflow, or to-do list; or
  • Performing compliance-related testing or analysis.

Acting Under Client Direction Or Authorization

The second exception, explained in Section 248.14, eliminates the consent/opt-out requirement if the firm discloses client NPI “as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with” the following:

  1. Processing or servicing a financial product or service that a consumer requests or authorizes;
  2. Maintaining or servicing the consumer’s account with you, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
  3. A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer.

Thus, the consent/opt-out requirements are nullified if, for example, a client directs or authorizes the advisory firm to place orders through a specific broker-dealer, or if they direct or authorize the retention of a specific sub-adviser.


Other Exceptions Outlined In Section 248.15

The third exception, explained in Section 248.15, is a miscellaneous catch-all exception to the consent/opt-out requirement that applies to the following scenarios (excerpted from relevant parts of Section 248.15 itself):

  1. If the client has consented to or directed the sharing;
  2. To protect the client’s confidentiality or secure the advisory firm’s records;
  3. To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
  4. To persons holding a legal or beneficial interest relating to the consumer;
  5. To persons acting in a fiduciary or representative capacity on behalf of the consumer;
  6. To law enforcement agencies;
  7. In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit;
  8. To comply with Federal, state, or local laws, rules, and other applicable legal requirements;
  9. To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; and
  10. To respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorized by law.

The SEC’s FAQ #13 regarding Reg S-P summarizes an example of the consent/opt-out exception nicely:

Q: Must an investment adviser permit its customers to opt out before the adviser shares nonpublic personal information about the customers with (i) a nonaffiliated broker-dealer in order to execute trades on behalf of the customers or (ii) a nonaffiliated custodian that holds securities on behalf of the customers?

A: No. Regulation S-P permits financial institutions in certain circumstances to share nonpublic personal information about consumers (and customers) with nonaffiliated third parties without providing them with notice of and opportunity to opt out. These circumstances include sharing information with a nonaffiliate (i) as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, (ii) in connection with processing or servicing a financial product or service a consumer authorizes, and (iii) in connection with maintaining or servicing the consumer’s account with the institution. Under these exceptions, an investment adviser need not provide a customer the opportunity to opt out before sharing nonpublic personal information about the customer with (i) a nonaffiliated broker-dealer in order to execute trades the customer has authorized and (ii) a nonaffiliated custodian that holds securities on behalf of the customer.

It’s worth re-emphasizing that these exceptions do not negate the need for SEC-registered firms to implement policies and procedures to protect client information as specified in Section 248.30(a). Rather, they apply only to certain consent and opt-out elements of Reg S-P.

In summary, an advisory firm should observe the following safeguard, notice, and opt-out requirements to comply with Reg S-P:

  • Adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.
  • Deliver a written privacy notice to clients that describes the advisory firm’s privacy policies and practices at or before entering into an advisory relationship with clients. Advisory firms are strongly encouraged to consider adopting a Federal model privacy notice form developed jointly by multiple Federal regulatory agencies and posted on the SEC’s website.
  • Deliver an opt-out notice to the client or otherwise obtain the client’s consent if sharing NPI with a nonaffiliated third party in such a way that does not fit within one of the above-referenced exceptions.
  • If an advisory firm’s information sharing or privacy practices change, it should re-deliver its updated privacy notice (and opt-out notice, if applicable) to all existing clients. Notably, as of 2016, SEC-registered advisers are no longer required to re-deliver their privacy notices on an annual basis if (a) they do not share client NPI in a manner that triggers an opt-out notice, and (b) they have not changed their privacy and information sharing practices as previously/currently disclosed in their current privacy notices. State-registered advisers may still be subject to annual re-delivery requirements.


New Hire Information Security And Sharing Best Practices

If a new hire doesn’t need access to client NPI (e.g., access to the firm’s CRM systems) to perform their job responsibilities, don’t grant such access. Keeping new hires on a need-to-know basis can help to streamline the due diligence process, as there are many considerations that need to be made with all new hires.

In addition to the classification decisions and Reg S-P requirements described above that advisors should consider during the hiring process, below are some suggested best practices to follow when making both pre- and post-hiring decisions.


PERFORM DOCUMENTED INITIAL DUE DILIGENCE ON THE PERSON OR FIRM TO BE RETAINED

This is especially important if the new hire will be the recipient of and have access to client NPI. Consider having would-be employees undergo a background check through the likes of GoodHire or a similar service, and conduct some sleuthing via your favorite web search engine.

To the extent the new hire is an individual independent contractor and/or third-party firm, search for any publicly available information security, data retention, and privacy practices (which some firms may make publicly available).

Request any independent control reports the third party may have undergone (for example, a SOC-2 audit report may be available for larger service organizations, and may include helpful information about an independent auditor’s testing of an organization’s privacy controls), and consider having the third party complete a due diligence questionnaire, supplying any helpful documentation with respect to its privacy and security practices.

Some example questions that can be included as part of such due diligence questionnaire are listed below.

Sample Third-Party Privacy/Security Due Diligence Questionnaire

  • In a narrative format, describe the physical and electronic controls in place to protect nonpublic information in your possession or control.
  • Indicate which of the following privacy/information security practices are memorialized in a written policy that is communicated to your personnel:
    • Minimum length/complexity requirements for passwords
    • Changing of passwords with a certain regularity
    • Use of multi-factor authentication
    • Use of a virtual private network or secure Wi-Fi connection
    • Use of company-issued hardware devices
    • Prompt notification of when a hardware device is lost or stolen, or if any user credentials are otherwise compromised
    • Periodic training on information security threats and best practices
    • Return of all company-issued hardware devices
    • Use of encryption or other secure means when transmitting nonpublic information
    • Use of and implementation of updates to anti-virus, anti-malware, and other protective software services
    • Use of a password manager
  • Provide a copy of your privacy notice or description of your information-sharing practices.
  • What is your incident response plan in the event that you experience an information security breach, intrusion, hack, attack, or otherwise have any nonpublic information compromised?
  • Within the last 5 years, have you experienced any information security breach, intrusion, hack, attack, or otherwise had any nonpublic information compromised? If yes, describe any such instances and remedial measures subsequently undertaken.
  • In a narrative format, describe your disaster recovery and business continuity plan (or, alternatively, provide copies of such plans), as well as the results of any testing performed with respect to such disaster recovery and business continuity plan.
  • In a narrative format, describe any internal risk assessments or third-party audits you have undertaken with respect to your privacy and information security practices. If yes, describe the results of such assessments or audits and any remedial measures subsequently undertaken.
  • Do you utilize a third-party information technology consultant or firm to manage or assist with the administration, monitoring, or maintenance of your privacy/information security program? If so, describe the services provided by such consultant or firm.

ENTER INTO A WRITTEN AGREEMENT WITH THE NEW HIRE

This can include appropriately tailored confidentiality and non-disclosure obligations, including how client NPI is to be handled both during the course of the agreement and after its termination. This can be included as part of an employment offer letter or broader independent contractor agreement, or it can be a standalone agreement solely dedicated to confidentiality and client NPI.

An overview of the components of such an agreement is provided below.


PROVIDE ONGOING SUPERVISION, TRAINING, AND PERIODIC DUE DILIGENCE OF THE NEW HIRE

In addition to supervision and due diligence tasks, firms should ensure that initial and ongoing training on topics related to information security and sharing is provided to employees, supervised persons, and access persons. Conduct work-product reviews, request periodic completion of attestations or certifications related to client NPI in which the new hire attests or certifies in writing, and under signature, that they have and will continue to abide by the advisory firm’s privacy, information security, and related policies.

Firms shouldn’t be afraid to periodically re-sleuth on their favorite web search engine to uncover any publicly available information that may speak to the new hire’s ability to adhere to information security and sharing requirements.


HAVE A READILY EXECUTABLE PLAN THAT CAN BE IMPLEMENTED UPON THE TERMINATION OF A NEW HIRE’S RELATIONSHIP WITH THE ADVISORY FIRM

Maintain a current list of all systems and information that a new hire has access to, and stand ready to methodically but quickly terminate access to such systems and information in the event of the new hire’s planned (or unplanned) departure. This process can be made immensely easier by having a current checklist of such systems and information, including URLs to visit, phone numbers to call, or forms to submit in order to facilitate the termination. Alternatively, advisory firms may find it easier to delegate this responsibility to an outsourced information technology firm.


How Much Due Diligence Is ‘Due’ For New Hires?

With respect to ongoing due diligence, an advisory firm owner might justifiably be wondering what degree of responsibility and culpability they have with respect to the information security and sharing practices of nonaffiliated third parties. At least for Reg S-P purposes, FAQ #14 provides only a moderately helpful response:

A financial institution is not responsible under Regulation S-P for the privacy practices of a nonaffiliated third party with whom the institution shares information under an exception listed in sections 248.14 or 248.15 (such as a broker that executes transactions the client has authorized). Regulation S-P limits the ability of these nonaffiliates to use and share information they have received in those circumstances. If the nonaffiliate receiving the information under an exception is a broker-dealer, fund, or investment adviser registered with the Commission, the Commission could enforce the provisions of Regulation S-P with respect to the nonaffiliate.

While at first blush, this response appears to helpfully limit an advisory firm’s responsibility for the privacy practices of nonaffiliated third parties, the Reg S-P opt-out exception afforded to service providers by Section 248.13 is conspicuously missing.

Thus, if client NPI is shared with a nonaffiliated third party under Section 248.13, the non-responsibility position does not appear to apply.

On the other hand, in the Adopting Release for Reg S-P, the SEC states the following:

…we have decided not to revise the rule to impose a specific duty on broker-dealers, funds, and registered advisers to monitor third parties’ use of nonpublic personal information they provide.

The context in which this statement is presented suggests it would apply in the event the nonaffiliated third party was independently subject to Reg S-P. In any event, this nuance of Reg S-P appears to be a bit muddy.

What I can say is that the concepts of ongoing due diligence are certainly incorporated into the SEC’s Risk Alerts and other public statements regarding cybersecurity, and that such expectations are framed in the context of an advisory firm’s obligation for ongoing vendor oversight.

Growth inevitably brings complexity, and the rabbit holes exposed by hiring an additional advisor, staff, or service provider are prime examples. With some advanced planning, as well as a respect for the compliance, privacy, and information security requirements triggered by such growth, the addition of a new hire can be an incredibly rewarding decision that will help level up an advisory firm owner’s business while freeing up time in the long-term!

* * * * *

This article originally appeared in Michael Kitces’ Nerd’s Eye View on November 8, 2021.