At the half-way point in its fiscal year, the U.S. Securities and Exchange Commission (SEC) is accelerating and intensifying its aggressive examination, enforcement and rule-making initiatives for 2023. This poses significant regulatory and compliance risk, as well as costs for both persons and entities that fall within the agency crosshairs. Undaunted by the current crisis in the banking sector, the meltdown in the digital asset market, the looming threat of recession, rising interest rates, inflation concerns and market volatility, the SEC continues to flex its regulatory powers. The agency has recently enacted or proposed a host of new rules related to: trading by corporate insiders, cybersecurity, custody of client assets, private funds, marketing, privacy, supervision of outsourced vendors, climate risk, valuation and derivatives, among others. Further, the Division of Examinations (EXAMS) is well under way in the implementation of its priorities when conducting compliance reviews of a variety of registrants that are subject to the SEC’s examination powers, including registered investment advisers, broker-dealers, exchanges and municipal advisers.

Kroll’s multi-disciplinary team of subject-matter experts have formulated the following eight compliance enhancements and related actionable strategies that we recommend to effectively address potential exposure to material examination deficiencies or public enforcement actions:

The SEC and other U.S. regulators expect registrants to have a robust compliance culture and to tailor compliance systems, processes and procedures in a manner that is risk-based and relevant to the registrant’s business. Our readers are encouraged to confer with their experts regarding local-area priorities, emerging risks, enforcement activity and agency risk alerts that may cause registrants to adjust their risk identification and compliance mitigation strategies.


The 8 Rules

Emboldened by their success in obtaining sanctions and over $1 billion in monetary penalties against broker-dealers (mostly), both EXAMS and the SEC’s Division of Enforcement have turned their attention to assess the state of compliance with the books and records, compliance program and material non-public information controls at registered investment advisers (RIAs). While most registrants have policies and procedures in place to address the archiving and review of required information that occurs via electronic mail, recent enforcement inquiries and examinations reflect an ongoing concern by regulators that buy-side market participants may be engaging in business-related communications via a variety of messaging platforms—without the firms complying with the books and records, MNPI-controls and compliance program obligations under the Investment Advisers Act of 1940 (Advisers Act).

Putting aside noted differences between what qualifies as a required "book or record" that must be maintained for the prescribed period by RIAs and what is required for broker-dealers, the regulators are reviewing firms’ authorized communications and archiving systems—and in some instances, personal devices used for business purposes—to determine whether supervised persons are using chat and text messaging applications that have not been archived or reviewed by the RIAs. Use of these so-called “off-channel” communications platforms by senior-level personnel is viewed as an aggravating factor when the regulators assess the sanctions to be imposed and the remediation steps that must be taken if violations are uncovered.

Mitigation Steps

As we indicated in an article published in early 2022, we are not aware of a perfect technology solution that can be deployed to ensure that RIAs meet their chat and text message-related books and records obligations in all circumstances. Registrants have to design, implement and test a set of reasonable policies and procedures that are tailored to the risk if they permit, or have reason to know, that their supervised persons are using such a medium for business purposes.

At a minimum, organizations must be prepared to:

  • Demonstrate that they have reviewed and tailored the applicable policies and procedures governing the forms of permitted and non-permitted electronic communications tools
  • Clearly define records that are required to be maintained and preserved as specified by the Advisers Act
  • Foster a compliance environment where non-compliant personnel are accountable and where supervisors themselves are operating within the firm’s policies
  • Provide periodic and documented training and reminders to firm personnel on the risks, policies and procedures related to the use of text messages and personal emails for business purposes
  • Ensure systems are designed to prevent users from downloading any program they wish to use and require authorization requests for non-standard software
  • Document the findings of any internal investigations conducted by or on behalf of the firm in the event of a breach of the electronic communications policies and procedures


While many industry pundits predicted an increase in regulatory activity under the current administration, the SEC’s rulemaking, enforcement and examination activities have far outpaced even the most optimistic projections. The SEC, using all available tools in its regulatory quiver, has been public about its expectations, levied hefty monetary penalties, imposed monitors, extracted admissions and held individuals accountable for violations. In addition, the SEC has signaled that it expects firms that become aware of violations to self-report  misconduct to examiners during the course of examinations without being prompted to do so—clearly exposing another potential issue for registrants to navigate. 

Kroll’s experts have highlighted and provide practical guidance on these eight compliance risk areas and steps to mitigate such risks. However, these risk areas are not exclusive and registrants are urged not to ignore the building blocks of a well-designed compliance program, including a knowledgeable and empowered CCO; effective supervision and governance; robust risk identification; a tailored set of compliance policies and procedures that is designed and implemented to detect and prevent violations of applicable laws; a compliance culture and value system that is baked into the firm’s DNA; and effective testing, training and documentation—all wrapped in a healthy dose of adherence to fiduciary duty (or best interest, as applicable) and disclosure and mitigation of conflicts. 

For firms considering adding external resources to their exam preparation arsenal, Kroll is here to help, offering subject-matter expertise and industry insights into these and many other compliance and operational matters.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Alternative Asset Advisory

Heightened regulatory concerns and vigilance, together with increased investor scrutiny, have led to increased demand for independent expert advice.

Expert Services

Independent expert analysis, testimony, advice and investigations for complex disputes and projects.

Environmental, Social and Governance Advisory Services (ESG)

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting, investigations, value creation, and monitoring.

Financial Services Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.

Fairness and Solvency Opinions

Duff & Phelps Opinions is a global leader in Fairness Opinions and Special Committee Advisory, ranking #1 for total number of fairness opinions in the U.S., EMEA (Europe, the Middle East and Africa), Australia and Globally in 2023 according to LSEG (FKA Refinitiv).