In conjunction with a speech delivered by its Director last month, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert discussing significant compliance deficiencies its examination staff had identified relating to Investment Advisers Act Rule 206(4)-7 (the “Compliance Rule”). The alert followed on the heels of prior Risk Alerts that addressed Compliance Rule deficiencies, among others, as having been the frequent subject of compliance-related findings by OCIE staff. Many of the deficiencies discussed in the Risk Alert are particularly relevant to growing RIAs who are attempting to assure that their compliance programs evolve and improve as they continue their growth.
The Compliance Rule requires, among other things, that RIAs must design, adopt and put into place written procedures and policies designed to prevent and detect violation of the Advisers Act and its rules. The Compliance Rule also requires the RIA to review the adequacy of those procedures annually. It also requires the RIA to appoint a competent Chief Compliance Officer who is empowered with the responsibility to develop and enforce policies that are appropriate to the firm.
The Risk Alert listed many examples of the types of deficiencies noted during examinations, including inadequate allocation of compliance resources. As we have discussed before, an RIA must assure that the CCO has sufficient time and resources to do the job. This means, for many small and growing RIAs, that the CCO’s compliance role should be exclusive and noncompliance tasks should be reallocated to other employees. There is no prohibition on the CCO having other roles within the organization, but where there are compliance deficiencies, the inability of a CCO to commit sufficient time to compliance will usually be cited as a structural deficiency. The CCO must be permitted, if not encouraged, to obtain additional training and to hire extra compliance staff when needed. Outside consultants or law firms are encouraged when necessary to enable the firm to meet its compliance obligations.
A firm’s compliance manual must be tailored to the firm’s actual business. In too many instances, a firm has obtained a “generic” or “off the shelf” manual, but has failed to customize it to its actual business model. This results in the possible inclusion of policies and procedures that have no relevance to the firm and exclude the kind of bespoke policies that every firm should have to adjust for its peculiar needs.
Another deficiency common to the growing firm is that the firm’s business practices have outrun its compliance program. As firms add new partners, business lines, or technology, the CCO must be consulted and made part of the process, because all of these changes have compliance implications, and most will engender the need for changes to written policies and procedures.
Owners of small, closely-held firms often prefer to keep some information confidential and unavailable to other employees, which may particularly be true with respect to financial information. However, in order to succeed, CCOs must be given access to critical firm information, including financial information, trading error reports, all advisory agreements in effect, and many other types of information. Senior management must interact with the CCO to ensure that the CCO has full knowledge about its strategy and operations.
Every firm should conduct and memorialize an annual compliance review. And when such reviews find compliance or regulatory issues, the firm must have a plan to remedy those issues. OCIE staff reported many instances where reviews were either not conducted, not memorialized, or in which key risks or deficiencies remained undiscovered. Reviews also often omit key areas of a firm’s business.
Another commonly-cited deficiency is a firm’s failure to perform an action required by its compliance procedures. Examples included not conducting new employee or annual compliance training, not reviewing advertising before it is used, not assessing whether clients’ assets are being managed consistently with their investment profile, and similar issues.
Any firm that wishes to improve its compliance program would be well-advised to begin by thoroughly reviewing Release IA-2204, which details the SEC’s expectations regarding what should be included in an effective compliance program.
Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our Investment Adviser Group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our Investment Adviser Practice Group page for more information.