Quest CE joined 500+ other industry peers at the IAA Compliance Conference in Washington, DC this past week to see what’s new in the compliance world, catch up with friends, colleagues, and clients, and hand out some pretty trendy compliance swag at the Quest CE booth.

For those of you who also attended, we hope you were able to stop by to say hello! If you didn’t get the opportunity between all the sessions and networking, please don’t hesitate to reach out with any questions – we’d love to chat with you any day!

While it’s nearly impossible to summarize all the great information that was shared during this jam-packed 2-day event, here are our top three takeaways from the IAA Compliance Conference.

Marketing Rule: SEC will Ensure Facts are Verifiable

Conference panelists confirmed what SEC staff stated in their recent Risk Alert, that they will be reviewing to see whether investment advisers have a reasonable basis for believing they can back-up material statements of fact in advertisements. The Marketing Rule prohibits advertisements that “[i]nclude a material statement of fact that the adviser does not have a reasonable basis for believing it will be able to substantiate upon demand by the Commission.”

At the conference, the SEC reiterated that if a firm is unable to substantiate upon demand, examination staff will “presume that the adviser did not have a reasonable basis for its belief.”

Complying with this requirement could look very different at each firm, depending on the stance you take. Some firms may want to document their claims for each ad, other firms may want to establish a general file for the claims most used in advertisements. The key here is the “upon demand” component. There isn’t a hard and fast rule on necessarily maintaining a bible of all of these substantiated facts for books and records, it’s more so about having something in your back pocket should the SEC ask for it. Facts will be verifiable, opinions will not! Take, for example, the claim “we’re the best Investment Advisory firm out there!” Is this a fact or opinion? If you’re unable to substantiate the material claims, the SEC will have something to say about it.

ESG: Disclosure is Key in Long Road Ahead

One proposal currently on the SEC’s table, which was of great interest during the conference, was the ESG Fund Disclosure Proposal. This rule change would impact how US mutual funds disclose their environmental and social governance (“ESG”) programs, with increasing levels of detail depending on the level of ESG consideration.

Funds that incorporate ESG considerations into their overall investment programs as one factor among many (i.e., “Integration Funds”) would have marginally increased disclosure obligations concerning how such factors are considered. Funds that consider ESG factors as “significant or main” consideration (i.e., “ESG-Focused Funds”) and funds that seek to achieve a particular ESG impact (“Impact Funds”) would be subject to more granular disclosure obligations about their ESG considerations, including completing a standardized ESG disclosure in tabular format.

In addition to this proposal, there have been various states that have adopted or proposed several pieces of legislation either seeking to limit or support the consideration of ESG factors in making investment decisions, especially relating to the use and investment of state funds. Just since the start of the 2023 legislative session and as of February 13, 2023, twenty-six states have proposed new ESG investing-related bills. Many of these states have proposed multiple forms of ESG investing bills—one state has nineteen different versions of proposed ESG bills that would restrict ESG investing with state assets, and another has four different versions of proposed bills that would restrict ESG investing and one proposed bill that would encourage ESG investing.

SEC staff reiterated that this topic is not going away and will have an instrumental impact on IA firms in the years to come. One recommendation that panelists provided is that you have to provide clear and accurate disclosures. You might be doing something for an ethical reason or financial gain, but you can’t muddy the two. He provided the example of hotels often using language that they are trying to save the environment by washing towels less often. “No, you’re not, you’re just trying to save money/resources.”

Cybersecurity: Concerns Raised over Proposal

Another topic that gained no shortage of attention was the SEC’s proposed Cybersecurity Rule. Under the rule, RIAs and registered funds would need to report “significant” cybersecurity incidents on Proposed Form ADV-C. A firm would need to notify the SEC within 48 hours after having a “reasonable basis to conclude” that such an event occurred. There is also a caveat that updates to Form ADV-C must be made within 48 hours after the time when previously reported information becomes materially inaccurate or the discovery of new information related to the incident.

Several concerns with the proposal were voiced by IAA staff that included 1.) what is considered a “significant adviser” or a “significant fund” cybersecurity incident? 2.) the timeline of 48 hours and how quickly or accurately firms will be able to disclose an incident and 3.) what the Form ADV-C review process will look like once a form is submitted and how quickly they should expect to hear from SEC staff.

The rule also requires advisors to set up agreements with third-party vendors to gauge their own cybersecurity protocols. While one of the panelists argued this gave firms leverage in negotiations, another cited a time when readying for the marketing rule that some vendors refused similar requests because they were not under the commission’s jurisdiction. One example that was provided was Amazon Web Services – “What leverage do I have with these big vendors? They will always want to use blanketed contract terms.”

Following the conference, the SEC agreed to reopen the public comment period on this proposal for 60 days. The reopening of the public comment period also came on the same day commissioners approved a number of cyber and data privacy-related rules, including amendments to Regulation S-P that would require RIAs to “provide notice to individuals affected by certain types of data breaches” that might leave them vulnerable to identity theft.