Compliance Rule Deficiencies and Weaknesses
The staff identified notable deficiencies or weaknesses in six general areas: (i) inadequate compliance resources; (ii) insufficient authority of Chief Compliance Officers (CCOs); (iii) annual review deficiencies; (iv) implementing actions required by the written policies and procedures; (v) maintaining accurate and complete information in the written policies and procedures; and (vi) maintaining or establishing reasonably designed written policies and procedures.Inadequate Compliance Resources
OCIE observed that some advisers failed to devote adequate resources to their compliance programs, including staffing, information technology, and training. In some cases, CCOs had multiple other professional responsibilities or lacked sufficient staff or information technology to carry out their responsibilities as CCO. Moreover, CCOs and compliance staff at times did not have time to develop their knowledge of the Advisers Act or lacked sufficient training to fulfill their compliance-related responsibilities.Insufficient Authority of CCOs
OCIE observed that in some cases, a CCO lacked sufficient authority within the organization to develop and enforce appropriate policies and procedures. In some cases, this resulted from the CCO not having access to critical compliance information, having limited interaction with senior management, or not being consulted by senior management regarding matters that had potential compliance implications.Annual Review Deficiencies
OCIE found that at times CCOs were unable to demonstrate that they performed annual reviews of their compliance programs, or annual reviews failed to identify significant existing compliance or regulatory problems. These deficiencies occurred because the CCO did not document reviews or risk assessments that were actually performed or because the CCO failed to review significant areas of the adviser’s business.Implementation of Actions Required by Written Policies and Procedures
OCIE observed instances in which advisers did not implement or perform actions required by their compliance program’s policies and procedures, including in training, reviewing various trading and advertising activities, backtesting fee calculations, testing of business continuity plans, and reviewing client accounts to ensure consistency with the client’s investment objectives.Maintaining Accurate and Complete Information in Written Policies and Procedures
OCIE staff observed advisers that had policies and procedures that were outdated or inaccurate, or utilized off-the-shelf policies, and didn’t reflect the adviser’s current business operations (particularly in instances in which the adviser had grown significantly in size or complexity).Maintaining or Establishing Reasonably Designed Written Policies and Procedures
OCIE staff noted instances in which an adviser did not maintain written policies and procedures appropriately tailored to the adviser’s business. At times, this resulted from relying on cursory or informal processes instead of written policies and procedures, or from utilizing policies of an affiliated entity that were not tailored to the business of the adviser. The staff identified deficiencies and weaknesses with establishing, implementing or appropriately tailoring their written policies and procedures in the following specific areas:- Portfolio management (primarily failures in due diligence and oversight of outside managers, third-party service providers, investments and branch offices).
- Marketing (primarily poor oversight of solicitation arrangements, and the prevention of the use of misleading marketing presentations, including the use of inaccurate performance).
- Trading Practices (allocation of soft dollars, best execution, trade errors, investment in restricted securities).
- Disclosures (inaccuracies in Form ADV and client communications).
- Advisory fees and valuation (inaccuracies in fee calculation process, expense reimbursements, and valuation of client assets).
- Safeguards for client privacy (issues relating to the security of client information and lack of adequate testing, training and controls around information stored electronically).
- Required books and records (inadequate written policies and procedures regarding the maintenance of required books and records).
- Safeguarding of client assets (written policies and procedures regarding custody and safety of client assets).
- Business continuity plans (disaster recovery plans were not tested or did not contain specific designations of responsibility and contact information).
Conclusion
The Risk Alert emphasizes the importance of continually reviewing an adviser’s written policies and procedures, and of being aware of any changes at the firm that could have an impact on compliance risks. If the adviser’s CCO does not do so, it is difficult if not impossible to ensure that the compliance policies and procedures are tailored to the adviser’s business, which will likely lead to problems in the future. For more information, please contact Steve King or one of the Practus attorneys with whom you work.About the Author
Financial Services Partner, Steve King, has provided legal advice on SEC regulations and investment management for over 20 years. Steve specializes in a wide array of regulatory and compliance issues that arise under the federal securities and commodities laws, including assisting in regulatory examinations, advising on the use of derivatives by registered investment companies, cross-trading, trade allocation policies, trade error policies, and affiliated transactions.
