Authored By Financial Services Attorney, Steve King

On November 19, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert containing an overview of notable compliance issues relating to Rule 206(4)-7 (Compliance Rule) under the Investment Advisers Act of 1940 (Advisers Act).¹  The issues reflected in the Risk Alert were identified from a sample of deficiency letters issued in recent examinations, and OCIE notes that deficiencies related to the Compliance Rule have been among the most commonly cited. 

The Risk Alert reminds advisers that they are required to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act, and the rules thereunder, by the firm and its supervised persons.  It notes that advisers should tailor their policies and procedures to the firm’s operations, and the policies and procedures should be designed to prevent, detect, and promptly correct any violations, and should be reviewed no less frequently than annually to consider whether changes are necessary in light of new or increased compliance or business risks, or changes in applicable law or regulations. The staff notes that advisers should consider the need for more frequent reviews in response to significant compliance events, changes in the business, or regulatory developments.

 PRACTUS NOTE: Although the Risk Alert relates primarily to deficiencies cited during examinations, it is also common in enforcement actions for the SEC to charge advisers for violations of the Compliance Rule with respect to policies and procedures that were inadequate to prevent the occurrence of the underlying violations.

Compliance Rule Deficiencies and Weaknesses

The staff identified notable deficiencies or weaknesses in six general areas: (i) inadequate compliance resources; (ii) insufficient authority of Chief Compliance Officers (CCOs); (iii) annual review deficiencies; (iv) implementing actions required by the written policies and procedures; (v) maintaining accurate and complete information in the written policies and procedures; and (vi) maintaining or establishing reasonably designed written policies and procedures.

Inadequate Compliance Resources

OCIE observed that some advisers failed to devote adequate resources to their compliance programs, including staffing, information technology, and training.  In some cases, CCOs had multiple other professional responsibilities or lacked sufficient staff or information technology to carry out their responsibilities as CCO.  Moreover, CCOs and compliance staff at times did not have time to develop their knowledge of the Advisers Act or lacked sufficient training to fulfill their compliance-related responsibilities. 

Insufficient Authority of CCOs

OCIE observed that in some cases, a CCO lacked sufficient authority within the organization to develop and enforce appropriate policies and procedures.  In some cases, this resulted from the CCO not having access to critical compliance information, having limited interaction with senior management, or not being consulted by senior management regarding matters that had potential compliance implications.

Annual Review Deficiencies

OCIE found that at times CCOs were unable to demonstrate that they performed annual reviews of their compliance programs, or annual reviews failed to identify significant existing compliance or regulatory problems.  These deficiencies occurred because the CCO did not document reviews or risk assessments that were actually performed or because the CCO failed to review significant areas of the adviser’s business.

 PRACTUS NOTE: It is important to note that with respect to any actions are not documented, examiners will likely take the view that the actions were not taken.  It is very important to document the risk assessment, how identified risks are addressed by written compliance policies and procedures, exceptions noted during testing, and actions taken to remediate and prevent/detect the recurrence of issues identified. 

Implementation of Actions Required by Written Policies and Procedures

OCIE observed instances in which advisers did not implement or perform actions required by their compliance program’s policies and procedures, including in training, reviewing various trading and advertising activities, backtesting fee calculations, testing of business continuity plans, and reviewing client accounts to ensure consistency with the client’s investment objectives.

Maintaining Accurate and Complete Information in Written Policies and Procedures

OCIE staff observed advisers that had policies and procedures that were outdated or inaccurate, or utilized off-the-shelf policies, and didn’t reflect the adviser’s current business operations (particularly in instances in which the adviser had grown significantly in size or complexity). 

Maintaining or Establishing Reasonably Designed Written Policies and Procedures

OCIE staff noted instances in which an adviser did not maintain written policies and procedures appropriately tailored to the adviser’s business.  At times, this resulted from relying on cursory or informal processes instead of written policies and procedures, or from utilizing policies of an affiliated entity that were not tailored to the business of the adviser.

The staff identified deficiencies and weaknesses with establishing, implementing or appropriately tailoring their written policies and procedures in the following specific areas:

• Portfolio management (primarily failures in due diligence and oversight of outside managers, third-party service providers, investments and branch offices).
• Marketing (primarily poor oversight of solicitation arrangements, and the prevention of the use of misleading marketing presentations, including the use of inaccurate performance).
• Trading Practices (allocation of soft dollars, best execution, trade errors, investment in restricted securities).
• Disclosures (inaccuracies in Form ADV and client communications).
• Advisory fees and valuation (inaccuracies in fee calculation process, expense reimbursements, and valuation of client assets).
• Safeguards for client privacy (issues relating to the security of client information and lack of adequate testing, training and controls around information stored electronically).
• Required books and records (inadequate written policies and procedures regarding the maintenance of required books and records).
• Safeguarding of client assets (written policies and procedures regarding custody and safety of client assets).
• Business continuity plans (disaster recovery plans were not tested or did not contain specific designations of responsibility and contact information).

Conclusion

The Risk Alert emphasizes the importance of continually reviewing an adviser’s written policies and procedures, and of being aware of any changes at the firm that could have an impact on compliance risks.   If the adviser’s CCO does not do so, it is difficult if not impossible to ensure that the compliance policies and procedures are tailored to the adviser’s business, which will likely lead to problems in the future.  For more information, please contact Steve King or one of the Practus attorneys with whom you work.

About the Author

Article Footnotes

1.  OCIE Risk Alert, OCIE Observations: Investment Adviser Compliance Programs (Nov. 19, 2020).

Practus, LLP provides this information as a service to clients and others for educational purposes only. It should not be construed or relied on as legal advice or to create an attorney-client relationship. Readers should not act upon this information without seeking advice from professional advisers.