On November 19, 2020, the SEC published a risk alert providing an overview of notable compliance issues identified by the agency’s Office of Compliance Inspections and Examinations (“OCIE”) under Rule 206(4)-7 (the “Compliance Rule”) under the Investment Advisers Act of 1940 (the “Advisers Act”). The risk alert summarizes commonly cited concerns identified by OCIE examiners in deficiency letters after recent investment adviser exams.
This risk alert observes compliance deficiencies in six general areas:
- Inadequate Resources. Advisers that did not devote adequate resources, such as information technology, staff and training, to their compliance programs and, as a result:
- Chief compliance officers (“CCOs”) sometimes had numerous other professional responsibilities and were unable to devote sufficient time to fulfilling their compliance duties;
- The compliance program was found to be ineffective as a result of inadequate training or staffing; and
- The growth or increased complexity of an advisory business was not matched by increased numbers of compliance staff or upgrading of information technology.
- Insufficient Authority. CCOs who lacked sufficient authority within the firm to develop and enforce appropriate policies and procedures for the adviser, including:
- CCOs who were restricted from accessing critical compliance information;
- CCOs who appeared to have limited interaction with senior management; and
- CCOs who failed to be consulted regarding matters that had potential compliance implications.
- Annual Review Deficiencies. Advisers that were unable to demonstrate that they performed an annual review or whose annual reviews failed to identify significant existing compliance or regulatory problems, including:
- Advisers that could not provide evidence that they had conducted ongoing or annual compliance reviews of the advisers' policies and procedures to determine their adequacy and the effectiveness of their implementation;
- Advisers that failed to identify or review key risk areas applicable to the adviser, such as conflicts and protection of client assets; or
- Advisers that failed to review significant areas of their business (e.g., the oversight and review of recommended third-party managers, cybersecurity and the calculation and allocation of fees and expenses).
- Following Own Policies and Procedures. Advisers that did not implement or perform actions required by their written policies and procedures, including advisers that did not:
- Provide compliance training to their employees;
- Implement compliance procedures regarding trade errors, advertising, best execution, conflicts, disclosure and other requirements;
- Review advertising materials;
- Follow compliance checklists and other processes, including backtesting fee calculations and testing business continuity plans; or
- Review client accounts to assess consistency of portfolios with clients’ investment objectives.
- Maintaining Current Policies and Procedures. Advisers that employed policies and procedures that contained outdated or inaccurate information about the adviser, and those that used off-the-shelf policies that contained unrelated or incomplete information.
- Weaknesses in Particular Areas of Compliance Program. Advisers that maintained written policies and procedures with deficiencies or weaknesses in establishing, implementing or appropriately tailoring their written policies and procedures in certain areas, including: (i) portfolio management, (ii) marketing, (iii) trading practices, including best execution obligations, (iv) disclosures, (v) advisory fees and valuation, (vi) safeguards for client privacy, including compliance with Regulation S-P, (vii) required books and records, (viii) custody and safety of client assets, and (ix) business continuity plans.
The risk alert does not identify any new types of deficiencies the staff has not identified before. Nor does it suggest that weaknesses were widespread among the adviser community. Nonetheless, the alert will serve as a useful checklist for advisers seeking to identify weaknesses in their own compliance programs and preparing for the inevitable SEC examination.
Advisers looking to enhance their compliance practices may also find the following measures helpful:
- Documenting the time a CCO serving multiple roles spends on compliance matters to demonstrate an appropriate level of devotion to the CCO role;
- Ensuring that input from compliance is being appropriately solicited and factored into strategic decisions in a manner that reflects the CCO as a core organizational stakeholder with access to important information to protect the interests of the firm;
- Maintaining sufficient evidence of the annual reviews conducted by the adviser under the Compliance Rule, including documentation regarding the scope of the review and the firm’s consideration of (i) any compliance matters that arose during the previous year, (ii) any changes in the business activities of the adviser or its affiliates, and (iii) any changes in the Advisers Act or applicable regulations that might suggest a need to revise the firm’s policies, procedures or practices;
- Ensuring (and maintaining sufficient evidence) that any compliance matters raised in the firm’s ongoing and annual reviews (including any mock audits) or any OCIE examinations are appropriately addressed (including through subsequent retesting);
- Ensuring that the adviser’s policies and procedures continue to be sufficiently tailored to adviser’s business;
- Continuously monitoring sources of regulatory guidance such as Commission rulemakings and staff interpretations to determine to what extent such guidance would impact the adviser’s compliance program; and
- Being mindful of how changes in personnel might impact the firm’s compliance program.