How our fintech startup became SEC-compliant

After the recent failures of financial institutions like FTX and Silicon Valley Bank, regulators have been blamed for poor examination processes and enforcement regarding the regulations financial organizations in the U.S. must follow. However, our experience with the Security and Exchange Commission’s licensing and examination appeared legitimate. From our perspective, they help protect clients.

Initially, obtaining registered investment adviser (RIA) status in the U.S. allows companies to deliver personalized investment advice and comply with relevant laws. As a fintech startup operating in the investment advisory domain, it is impossible to offer services in the U.S. without RIA status, but it also helps to build trust with prospective clients.

In our case, we obtained RIA status approximately 18 months ago. The process involved preparing multiple documents and incurred expenses of approximately $50,000 for legal services and filing fees, which took around three months to complete.

What our experience was like:

  • We got a call out of nowhere.
  • Next step: an introductory two-hour meeting.
  • The list of documents they requested.
  • Adjustments during the review and outro call.

At some point after obtaining status, you can expect to be examined by the SEC. The agency routinely conducts examinations to ensure that companies or individuals providing financial services or advice comply with securities laws and regulations. Even if there are no claims against your company, these examinations can happen at any time to review your policies, services and records.

As part of the process, the SEC may conduct interviews, scrutinize existing policies and marketing materials, and request a detailed description of the financial services provided to clients. The duration of the examination process can vary depending on factors such as the size and complexity of the firm being examined. A complex examination can take up to six months or more.

We incurred expenses of approximately $50,000 for legal services and filing fees; the examination process took around 3 months to complete.

After conducting the examination, the SEC will provide a letter that outlines its findings. If no major issues are discovered, your firm will have two months to address any concerns raised by the SEC. It is important to take these findings seriously and address any issues promptly to ensure compliance with applicable securities laws and regulations.

We got a call out of nowhere

It was just a regular workday when a call came in to our company phone number and the speaker introduced themselves as a part of the SEC office in San Francisco, double-checked the email information of our company executives and announced that we were under examination as part of the standard practices with SEC. I was also told that soon we would need to arrange an introductory meeting with their team.

I didn’t even know the SEC had an office in San Francisco.

Next step: An introductory two-hour meeting

When we arrived, there were three people representing the SEC end and two representatives from our company: me and Chief Investment Officer Mike Stukalo. As I remember, our discussion was not recorded, which felt like a nice touch. I was impressed by how well prepared they were; they had clearly read our website, blog posts, marketing materials and ADV brochure, the primary disclosure document that we update each year as a company with registered investment adviser status. They had a pretty decent understanding of our product before the conversation.

After an introduction and basic questions, they asked very specific questions about how exactly our product worked to understand every little detail. The majority of these two hours of conversation were related to a product and what it does. Everyone was very polite and nice: It felt more like a demo call to a potential customer.

The trickiest questions were mostly related to cryptocurrencies, whether we have them as a part of our product offering and why we have some marketing materials on our website. We had one part of our website dedicated to different cryptocurrencies for information purposes, but they were not a part of the product offering.

This took place shortly after FTX declared bankruptcy, and it felt like they were very concerned if we had anything related to it. To me, it felt like a crypto offering was the only one they were concerned about.

The list of documents they requested

At the end of the introductory meeting, we were told that they would shortly come back to us with a request for additional information and documents about our organization, our partnerships, information security practices and more.

I believe that each company might be asked something different, but here’s what they asked us for. Generally speaking, the list included pretty much everything related to our company that you might imagine:

General background

  • Our current organization chart, with ownership percentages, control persons and all affiliates.
  • A list of key vendors, including banking, brokerage, KYC, compliance, legal, cybersecurity, IT, custodian, trading venues, accounting, audit and others.
  • List of key integration vendors.
  • Specific mechanisms of recommendations used by our product, for example, artificial intelligence, machine learning, etc.
  • Our KYC and KYT policies and procedures, along with a description of the operational protocols and procedures related to deposits and withdrawals to/from current or potential client accounts.

Portfolio management and brokerage practices

  • A list of investment portfolio model(s) offered by the company. For each we needed to include a description of the model relating to the strategy employed, the type and number of securities/tokens included, the general range of asset class/security weightings, the risk level assigned to the model, and any other significant characteristics that distinguish the model. They also asked us to indicate the frequency and the nature of portfolio modification and describe our rebalancing method/triggers and frequency.
  • A copy of our client onboarding questionnaire.
  • A copy of the model/formula used to determine the risk rating/tolerance and recommended portfolio/asset allocation for each client account.

Compliance oversight

  • Any discretionary selections clients can make in terms of portfolio composition.
  • Trade error-handling policy and procedures.

Marketing and advertising

  • Any ads (e.g., websites, apps, podcasts, search engine advertisements, etc.) used to solicit or inform users or current or potential clients, including social media and influencers.
  • Compensated client referral programs.
  • If not publicly available, all pitch books, pamphlets, brochures, videos and any other promotional and/or marketing materials.

Cybersecurity

  • A copy of our information security policy, along with other policies and procedures regarding how we protect personally identifiable information.

After that, we worked with my partner Mike (mostly Mike) to provide information about everything. However, if you do everything correctly in the first place, gathering the required information should not be a big problem.

Most requests were for existing documents we needed to operate properly as a business. In our case, we spent about a week properly preparing and sending everything out. It took about six weeks more for the SEC to review.

Adjustments during review and outro call

While the SEC conducted its document review and examination, they occasionally asked additional questions and advised us about what we needed to update in our product and website to make it more straightforward and compliant. For example, we added notes to charts about data representation, along with more information about our security practices and other disclaimers.

At the end of the review, we had an outro call to discuss all the findings and adjustments we needed to make and received a formal letter for future updates.

The overall examination process was time-consuming, but afterward, I felt that our team was better prepared for unexpected situations, ultimately leading to better client experiences and fewer potential legal complications. It also didn’t feel that the SEC was here to judge and punish, more like a partner that helped us become a better version of ourselves.

It’s important to exercise caution when innovating and creating new investment products, as too much creativity in the wealth-management industry can potentially lead to trouble with regulators. Many regulations were created before fintech became widespread, so be mindful of compliance requirements.