Compliance is a key issue for all firms. Many companies use the U.S. sentencing guidelines as a starting point. In other instances, regulators craft a starting point with rules that direct the creation of programs. This is true, for example, for investment advisers registered with the Commission. In either case, the critical point is to craft the policies and procedures so that they effectively monitor the business and evolve with it.
OCIE – the SEC’s Office of Compliance Inspections and Examinations – published a Risk Alert on November 19, 2020 discussing key issues for registered investment advisers. OCIE Observations: Investment Adviser Compliance Programs (here). The Alert provides a good discussion of key issues in crafting and maintaining an effective compliance program.
The basics: For registered investment advisers, compliance begins with the SEC’s Rule. It is written in broad strokes and thus does not detail specific elements that the advisers must incorporate into its policies and procedures. Rather, as the Alert states: “Each adviser should adopt policies and procedures that take into consideration the nature of the firm’s operations. The policies and procedures should be designed to prevent violations from occurring, detect violations that have occurred, and correct promptly any violations that have occurred.”
The SEC’s Rule does, however, require that an annual review be conducted and a CCO designated. The review should include new compliance issues, consider changes in the business of the adviser or its affiliates and examine the impact of changes in regulations or the environment. While the Rule only requires an annual review, the Alert suggests that more frequent reviews may be useful and necessary.
Although the precise obligations of the CCO are not designated, that person’s function is to administer the policies and procedures adopted. The designated CCO should thus have full responsibility for the program and be empowered to properly implement it.
Deficiencies and key points: The Alert details a series of deficiencies and weaknesses that have been observed by the Office. Those include:
Inadequate resources: Resources are critical to developing and maintaining an effective compliance system. Information technology and staffing are key. Yet OCIE observed several important deficient and weakness in this area. Included are CCOs who had multiple duties which interfered with effectively allocating sufficient time to compliance. Also included in this area is a lack of adequate training, insufficient staff to for, example, conduct a proper annual review and update Form ADV. And, a number of advisers failed to properly add resources as the advisory grew, a situation which in turn resulted with inadequate staff and resources.
Insufficient CCO authority: The CCO position is critical. Yet in a number of instances OCIE observed CCO’s that did not have information critical to advisory agreement. In other instance CCOs either did not have adequate interface with senior management or were not consulted.
Deficiencies in annual review: The annual review is one of the few elements of the program specifically mandated by the Rule. Its importance cannot be overstated. In many instances, however, OCIE encountered situations in which the adviser claimed to have conduct the review, but there was inadequate evidence of it. In other instances, the adviser failed to identify or review key risk areas of the advisory such as conflicts. Similarly, advisers frequently failed to review and analyze important areas of the business in connection with the review.
Implementing actions required by written policies and procedures: In a number of instances OCIE observed advisers that either failed to implement policies and procedures or failed to comply with them. This occurred in a number of areas such as employee training, implementing procedures regarding trade errors, not reviewing advertising materials, failing to adhere to checklists and other processes and not properly reviewing client accounts to assess consistency with client objectives.
Maintaining or establishing written policies: It is critical that the advisory maintain up-to-date written policies and procedures. The staff has observed situations in which certain provisions were outdated or inaccurate, however. Similarly, in a number of instances the adviser failed to maintain policies and procedures that are written, properly implemented and complete.
Equally important is tailoring the policies and procedures adopted to the specifics of the advisor’s business. Areas to consider include: 1) Portfolio management, including due diligence, oversite of managers and compliance with regulatory requirements, advisory provisions and client limitations; 2) Marketing which requires careful oversight and the prevention of misleading statements; 3) Trading practices, including arrangements regarding soft dollars, best execution and those regarding restricted securities; 4) Disclosures, including those in Form ADV and with clients; 5) Advisory fees and valuation, including billing procedures and the valuation of assets; 6) Privacy safeguards for clients such as Regulations S-P and S-ID, physical security for client information and data and those for electronic material and cyber security. Finally, it is critical that the advisory maintain the required records and have an adequate business continuity plan.
Comment: The Alert was prepared by OCIE to encourage compliance. Proper compliance is in fact not just a matter of following the Rule but good business. It is good business for clients who are assured that their assets are properly invested and handled. It is good business for the advisory since it helps ensure a proper functioning business. Advisers would thus be well advised to carefully review their operations in view of the checklist included in this Alert.