Bates Research  |  05-13-21

NASAA Touts Latest Model Rules on Compliance, Continuing Education for Investment Advisers; Offers Guidance on Cybersecurity

NASAA Touts Latest Model Rules on Compliance, Continuing Education for Investment Advisers; Offers Guidance on Cybersecurity
Image © [Nedelcu] /Adobe Stock

In its April 2021 Investment Adviser Section Report highlighting 2020 activities, the North American Securities Administrators Association ("NASAA") promoted the November 24, 2020 adoption of two model rules. Noting the operating challenges posed by the pandemic in 2020, NASAA adopted a broad rule on compliance to ensure that advisers cover the full range of investor concerns in their written policies and procedures. NASAA also reached consensus on a long-debated proposed rule on continuing education to ensure that advisers are knowledgeable of current regulatory requirements and best practices.

NASAA’s annual review details the state-registered investment adviser statistics year over year. As of the end of December 2020, there were 17,454 total state-registered investment advisers down from 17,553 in 2019.

The annual review also described the contributions of specific project groups to the model legislation and to other significant ongoing efforts. Among the latter, the report offers needed context on the approach to ongoing and evolving challenges facing the cybersecurity and technology and the regulatory policy and review project groups. Here are a few of the takeaways.

Model Rule on Written Policies and Procedures and Compliance Grid

For state-registered investment advisers, NASAA’s new model rule on compliance underscores the fact that it is unlawful to provide investment advice under the Uniform Securities Act “unless the investment adviser establishes, maintains, and enforces written policies and procedures tailored to the investment adviser’s business model, taking into account the size of the firm, type(s) of services provided, and the number of locations of the investment adviser.” NASAA explained that state adoption of this model rule will “promote uniformity and facilitate compliance with state securities laws, rules, and regulations,” and should serve to promote a “culture of compliance.”

The model rule establishes that written policies and procedures must include the following: (i) compliance procedures (“reasonably designed to prevent violations of the Uniform Securities Act”); (ii) supervisory policies and procedures; (iii) proxy voting policies and procedures (including voting in the best interest of the client and disclosure when the adviser lacks authority to vote for client securities); (iv) physical security and cybersecurity procedures; (v) a code of ethics containing standards of business conduct that “reflect the investment adviser’s fiduciary obligations” as well as the adviser’s reporting obligations; (vi) material non-public information policy (to prevent the misuse of such information); and (vii) a detailed business continuity and succession plan. This covers the gamut of compliance concerns, but NASAA warns that the rule is only intended to supplement carefully tailored policies and procedures that are tailored to the specific products and services provided by an investment adviser firm.

The model rule comes with an important ten-page “Sample Compliance Grid” which offers a checklist of policies and procedures consistent with the above categories. NASAA explained that the Grid should be used by investment advisers as a basis to tailor their own policies and procedures and business model, thereby “enhancing its ability to comply with its legal and regulatory obligations and complying with its fiduciary duties to clients.” Advisers were encouraged to “actually remove the ‘off the shelf’ policies and procedures from the plastic wrap,” and not to blindly check the boxes which could lead to “inadvertently adopt[ing] policies and procedures irrelevant to their business models, and in some cases, impossible for a smaller state-registered adviser to comply with.” Appropriate review and modification using the template, according to NASAA, will help to identify and minimize conflicts and risks to investors.

The explicit warning is that the model rule and the compliance grid will be used by state securities regulators as “a blueprint for examiners,” allowing them to compare what “policies and procedures have been established, how they have been maintained, and to what extent they have been enforced.”

Explore Bates Compliance Services for RIAs

Model Rule on Continuing Education

NASAA’s new model rule on continuing education set parameters for state education programs covering investment advisers. The rule requires advisers to complete 12 hours of continuing education annually to maintain their licenses with state regulators. The program includes a products and practices component as well as a professional responsibility and ethics component. NASAA also provided additional guidance—in the form of a FAQ page—setting forth the general case for the rule, specific questions about credit hours and reporting, course content, fulfillment of the education requirements under different registrations (including on dual registration and multi-jurisdiction registration), professional designations, and consequences for failures to comply. As noted in previous Bates coverage, NASAA is continuing to standardize the criteria under which content providers, instructors and individual continuing education courses will be approved. NASAA expects those processes to be “completed ... and available” by the end of the second quarter of 2021. This week, NASAA announced the availability of a handbook to help potential content providers prepare to meet the requirements for IAR CE programs.


In the annual report, the Cybersecurity and Technology Project Group summarized the development of a Cybersecurity Checklist and additional guidance for investment advisers. The checklist was developed as part of a framework covering risk identification and management, protection of personal identity information, detection of threats (anti-virus software and firewalls), responses to cyber events, and incident preparation and recovery (including cyber insurance and business continuity.) These elements were contained within the newly adopted Model Rule on written policies and procedures described above.

The related cybersecurity guidance provides additional information on this framework and emphasizes the importance of a cybersecurity compliance approach that balances “confidentiality, integrity, and availability.”  The project group stated that these new resources are intended to help advisers develop best practices to address their compliance program. The group intends to update the guidance going forward to address the “ever-shifting landscape of cybersecurity threats.”

The Regulatory Policy and Review Project Group reported on their participation and contribution to the adoption of the model rules on compliance and continuing education. The group also announced that its 2021 investment adviser priorities focus on (i) alternative fee models (the group expects to provide new guidance); (ii) review of SEC rule proposals to change certain adviser rules and forms; (iii) investment adviser marketing; (iv) a proposed model rule on unpaid arbitration awards; and (v) standing letters of authorization as they relate to custody (the group expects to provide new guidance on this as well).


Despite the difficult conditions of engaging during the pandemic described by the Operations Project Group (among others), 2020 was a significant year for the NASAA Investment Adviser section. The adoption of the model rules on compliance and continuing education reflects not only consensus around complex, evolving and detailed issues, but also the focused work of multiple project groups over multiple years. That said, these and other model rules would, if adopted by the states, largely govern very small businesses—according to the report, a large majority of state independent advisers (81%) are one-to-two-person shops.

The work of the Cybersecurity Project Group and the Regulatory Policy Groups reflect the ongoing dynamic of state regulators attempting to harmonize conditions for state-registered investment advisers among different jurisdictions and with the federal rules. Going forward, Bates will monitor their latest efforts and the adoption of the new model rules across the country.

Bates Compliance provides tailored solutions for financial institutions and investment advisers. Our compliance team includes senior compliance staff and former regulators, with expertise in the development of policies, procedures, supervisory and compliance processes, including in state and federal registration, supervision and oversight, recordkeeping and disclosure. Contact us today:

Rory O'Connor, Director, | 860-671-7270

Hank Sanchez, Managing Director, | 504-450-9632

For additional information and assistance, please follow the links below to Bates Group's Practice Area pages:

Bates Compliance

RIA Services

Broker-Dealer Services

Consulting and Expert Testimony

Regulatory and Internal Investigations

Retail Litigation and Consulting

Institutional and Complex Litigation

AML and Financial Crimes


Get Bates Group News and Alerts in your Inbox

Sign Up Now

Contact Bates Group

Bates Group is with you every step of the way. Contact us today for more information on how our End-to-End Solutions can help your firm.

Contact Bates Group