Maintenance of an effective compliance program continues to be a significant issue for investment advisors. The Office of Compliance Inspections and Examinations (OCIE) emphasized the importance of a strong program in a Risk Alert issued on November 19, 2020. This alert identified deficiencies that have been found at investment advisor firms when testing for adherence to the Compliance Rule (17 CFR §275.206(4)-7).
Under the Compliance Rule, advisors are responsible for adopting written policies and procedures that are reasonably designed to prevent any violations of the Investment Advisers Act of 1940. Advisors must identify their fiduciary and regulatory obligations, and must formalize necessary policies and procedures. Advisors must also designate an individual as a Chief Compliance Officer (CCO) to administer these practices. This rule requires that the advisor perform an annual review of the adequacy of the policies and procedures and the effectiveness of their implementation. The Risk Alert discusses valuable practices for investment advisors to consider when determining the adequacy of their compliance program.
Policies & Procedures
Written policies and procedures are a key tool organizations use to identify matters such as strategies, intentions, and processes. While the Compliance Rule doesn’t specifically identify what elements need to be included in the policies and procedures, advisors should draw on industry best practices and guidelines issued by regulatory entities such as the OCIE when developing them. The OCIE’s Risk Alert identifies several areas of concern seen during their recent reviews.
Advisors should ensure policies and procedures are maintained and customized to their unique characteristics and circumstances. OCIE examiners identified situations where policies and procedures existed, but contained outdated references or appeared to be based on off-the-shelf templates that had unrelated or incomplete information. Examiners also witnessed policies and procedures that were shared among affiliated entities, but weren’t appropriately tailored to each entity. Further deficiencies included:
- Advisory fees
- Business continuity
- Portfolio management
- Privacy safeguards
- Safeguarding of assets
- Trading practices
Beyond simply writing a policy or procedure, compliance management personnel need to ensure that their organization is implementing the identified controls. The CCO should have a sufficient level of authority within the organization to enforce compliance policies. In its examinations, the OCIE identified situations where written controls addressed certain areas, but those areas hadn’t been implemented within the organization. Common areas of discrepancy included:
- Implementing procedures over areas like trade errors
- Performing calculations
- Performing training
- Reviewing advertising material
- Reviewing client accounts
Advisors should make sure compliance personnel have sufficient resources to execute their duties. Resources could include adequate budget, technologies, personnel, and training. The OCIE saw situations where the staffing wasn’t appropriate for the investment advisor given the risks present. For example, a CCO had multiple responsibilities, but couldn’t dedicate enough time to acquire the appropriate knowledge or execute the compliance duties. Advisors need to periodically monitor their staffing levels relative to their compliance training program. OCIE examiners saw scenarios where advisors experienced significant growth, but hadn’t increased their compliance resources to accommodate the new staffing requirements. There were also situations where proper training wasn’t administered to current or new staff.
Internal Access & Communication
Along with sufficient authority, CCOs and their staff must have appropriate internal access to ensure compliance activities focus on the risks impacting the organization. In the examinations, some CCOs were restricted from accessing all necessary information utilized by their organization, resulting in insufficient compliance oversight. The OCIE often saw limited interaction between senior management and the CCO. This caused the CCO to have limited knowledge about the advisor’s leadership, strategies, transactions, and operations. Also, employees sometimes performed activities without consulting compliance personnel, despite there being potential compliance implications.
Under the Compliance Rule, advisors are obligated to annually review their policies and procedures for adequacy. It’s critical that this review be performed in a timely manner and is appropriately documented. In the examinations, there were situations where the advisor claimed a review occurred, but there was no supporting evidence. To receive credit for an annual review, they must confirm that the scope of the review is aligned with the activities and covers all risks that effect the organization. The review should have appropriate coverage of the organization’s services, operations, processes, and controls. Sometimes in the OCIE examinations, an organization’s annual review failed to capture significant areas such as third-party managers, cybersecurity, and fee or expense calculations.
The OCIE’s Risk Alert provides valuable insight into potential gaps, errors, or pitfalls that can be found in your compliance programs. Based on their reports of actual examinations performed, investment advisors can avoid the risks of an inadequate program, and work towards enhancing their overall compliance posture.
The information in this article is based on our preliminary analysis of the regulatory language and U.S. Securities and Exchange Commission (SEC) publications. It’s communicated with the understanding that the Firm isn’t rendering legal services. If legal advice is required, the services of an attorney should be sought.