So, you have to  decide what you're going to spend, decide how you're going to spend it, decide who's going to do the work, and then you have to decide where you're going to focus those resources. I think very few firms look at it analytically that way. You may end up, by doing it analytically, spending less and having more effect.

Hortz: From a strategic top-down perspective, those are the priorities. What do you recommend are the 2-3 actions advisors can do right now to best protect their business from regulatory risk?

Cipperman: One is certainly hiring a third party firm to do a mock audit. At least you can get a baseline on what your weaknesses are. Also, if you've ever had an examination, make sure you've fully addressed the issues that the SEC or FINRA have raised. I would also review the Risk Alerts and Examination Priorities issued by the regulators. You also need to hire a dedicated Chief Compliance Officer.  The dual-hat model really doesn’t work, and the SEC sees a dual-hatted C-suite CCO as a regulatory red flag. Whether it's in-house or outsourced, you need someone who's focused full-time on compliance.

Hortz: Are there any innovative new tools that can meaningfully be of help in the compliance area? What is your view of the growing RegTech space in general?

Cipperman: I'll start with the negative and then go to the positive. I think firms sometime think technology is the “be all and end all”. That they can use technology and that's going to be their compliance system. It's not. RegTech provides tools. I think they're best used by the right craftspeople, meaning competent compliance people. You could leverage a really good compliance person if you give that person the right tools.

Some of these tech tools are excellent: social media account reviews, emails, personal trading, best execution modules, portfolio compliance. There's some great stuff out there, but I've come across way too many firms that have bought technology or licensed technology and then fail to implement it. They don't know how best to apply it. I think that's a real gap. This is a big data exercise. You need people that know how to handle big data. Big data requires some big tools, tech tools. Clearly we're going to have continuing technological advances in this space because it's needed. I think it's going to be in conjunction with qualified compliance people that know how to use these tools.

Hortz: What best practices do you see on how firms are building a culture of compliance?

Cipperman:  You need to constantly be asking tough questions and acting on them: Is your compliance program more than a veneer? Is there actual testing going on? Is there constant improvement? Are you identifying weaknesses and fixing those weaknesses? Are you punishing recidivists in your organization that continually violate rules? Are you sensitive to resource demands of your compliance function? Are you doing the best practices like having a product evaluation committee? Do you have a compliance committee where senior executives participate in conversations about compliance?

These are all areas that evidence there is a compliance culture; that you're not just talking compliance but that you're involved in it and you're actually supporting it. Many organizations cannot evidence that.

Hortz: What best advice can you share with advisors on getting a firm handle on ongoing regulatory and compliance issues in the industry?