OCIE Observations: Compliance Programs

SCS Compliance Tips &a...SCS Rule ClarificationsSEC Risk Alert
Written By Katie Mogan

Main Contributor: Katie Mogan, IACCP® Vice President, Senior Compliance Consultant 

OCIE Observations: Compliance Programs

The SEC Risk Alerts keep coming, this time with exam observations regarding investment advisors’ Compliance Programs. According to OCIE, the most common exam deficiencies arise from issues with Rule 206-4(7), known as “the Compliance Rule.”

Rule 206(4)-7 requires investment advisors to have policies and procedures reasonably designed to prevent, detect, and correct violations of the Advisors Act and the firm’s policies and procedures. Under the Rule, policies must be reviewed at least annually to evaluate and assess the effectiveness of the policies, address any violations or issues that arose during the year, including any rule changes (or risk alerts!), and assess any business changes for the advisor. Finally, registered investment advisors must appoint a Chief Compliance Officer (“CCO”), who is knowledgeable and competent regarding the Advisers Act, to administer the Compliance Program. A CCO should have a position of authority with the ability to enforce the Compliance Program appropriately.

Below, we break down the key areas of deficiencies and weaknesses regarding advisors’ Compliance Programs. This risk alert should be helpful as you wrap up your firm’s annual review.

Compliance Rule Deficiencies and Weaknesses Identified BY OCIE

Inadequate Compliance Resources

The SEC found CCOs who wore multiple hats and did not devote enough time, training, and/or technology to compliance. We know CCOs cannot always avoid wearing multiple hats and not all firms have endless resources devoted to compliance. Despite this hurdle, it is possible to establish a Compliance Program that meets the Compliance Rule requirements and protects your firm. Our suggestions include:

  1. Create a compliance calendar. This will help you stay organized and establish a process by which you can devote time to compliance reviews and testing. We suggest quarterly reviews, with increased cadence on topics that are higher risk at your firm.

  2. Asses the need for technology, additional staff, and outsourced service providers. In assessing your firm’s needs, think about 1) how many employees you have, 2) the volume of personal trading, 3) your ability to spend time reviewing and testing your procedures, 4) your ability to implement the technology, and 5) the need for additional staff or experts like a consultant or attorney. Outsourcing aspects of compliance can be a very effective solution for your firm.   When you outsource, you obtain an expert (or team of experts) for a lower cost than hiring internally at that level.  Technology can provide efficiencies as well, especially in areas such as personal trading, which can be tedious and time consuming to collect and review.

  3. Schedule training. There are many great resources available to stay current and abreast of the regulatory landscape. You can subscribe to free resources, attend live and virtual conferences, join a compliance roundtable in your area, or work towards a compliance credential to improve your overall compliance knowledge.  Make time at least annually to invest in yourself so that you are staying current and relevant in your role as the CCO.

Insufficient Authority of the CCOs

Remember, the SEC wants CCOs to have a seat at the table. They found advisors that restricted CCO access to key information such as trading, and advisors where senior management had limited access or interaction with the CCO, thus eliminating the CCOs input on key business decisions with compliance implications.  To encourage buy-in and involvement with senior management, we suggest the following:

  1. Share your quarterly and annual reviews with senior management. Include details regarding relevant risk alerts, regulatory changes, and violations/concerns. Detail the processes undertaken to resolve and prevent further violations and include any needs for additional resources.

  2. Request to attend meetings. Being a part of executive meetings, best execution reviews, and other areas will help you understand the business, strategy, and the firm’s leadership and provide insight proactively on the impacts surrounding compliance.

  3. Training. Conduct regular training with staff and senior management to increase their level of awareness regarding the importance of compliance, and to ensure consistency with policies.

Annual Review Deficiencies

Nearly every SEC exam and initial request we have been a part of includes a request for evidence of the annual review and risk assessment. OCIE found firms who claimed they performed annual reviews but had no evidence of such reviews and firms with reviews that did not identify key issues and regulatory risks. In order to avoid this faux pas, we have some suggestions:

  1. Write a memo summarizing your testing process. If you have been with us for a while, you know we suggest quarterly testing to keep this task from becoming overwhelming and to nip issues before they drag on for too long. In your summary, describe your testing, what reports you ran, why you performed the testing, what you were looking for, the process of your review, and your findings.

  2. Detail your key risks. The Compliance Rule outlines the minimum areas you should review, which includes portfolio management, marketing, trading practices, disclosures, advisory fees and valuation, safeguards for client privacy, books and records, safeguarding of client assets and business continuity plans. Start with an outline of these key risk areas and review your policies to ensure you have processes and policies to mitigate each applicable risk area. OCIE also publishes their focus areas each year and provides risk alerts throughout the year, which can be helpful in assessing your risks and policies.  We always suggest keeping a written risk assessment and revisiting it at least annually to update for new regulatory changes, changes to your business, and hot topics.

  3. Keep it relevant. Your policies and procedures and review of policies must be relevant to your firm’s practices. Ensure the testing is covering areas applicable to your firm.  OCIE found instances where firms did not address reviews around the use and selection of third-party managers, cybersecurity, and the proper calculation of fees and allocation of expenses.

Implementing Actions Required by Written Policies and Procedures

OCIE found firms did not follow their policies and procedures, with employees who were uninformed or performing functions not in line with firm policies. We suggest:

  1. Training. Train your employees on the topics that pertain to them. Traders and operations may have different policies that apply to them so keep training short and to the topics that they would relate to most. Short and sweet training sessions keep employees engaged and willing to come back for more. All employees should attend Code of Ethics training and use firm-wide email to hammer home important reminders that apply to all employees.

  2. Policy review. A great practice is to request department heads review the sections of your policies and procedures that apply to their department(s). This will help implementation from the top-down and make buy-in from necessary parties more successful. Speak to the employees who have “skin in the game” like traders and marketing personnel to get their buy in and understanding as you draft new policies.

  3. Follow your policies and process. This sounds like a no-brainer, but you must consistently follow your policies. The completion of the annual review and interviews with key personnel will solidify whether or not the policies are being consistently followed. Use this information to either adjust the policies or provide training to ensure compliance.  As we already discussed, reviewing your policies at least annually, with attention to recent risk alerts and OCIE Exam focuses, will help keep your policies up-to-date and relevant to your firm’s business. If starting with an off-the-shelf manual, make sure you address your firm’s distinctive business model and processes.

Maintaining or Establishing Reasonably Designed Written Policies and Procedures

OCIE found firms did not maintain written policies, failed to maintain tailored written policies, or depended on policies of an affiliate that did not apply to the advisory side of the business. Written policies and procedures that address an advisor’s key business operations are vital to a successful advisory firm. OCIE found deficiencies and weaknesses with key areas such as:

Portfolio Management:

  • Due diligence and oversight of third-party managers

  • Compliance with guidelines and strategies

  • Oversight of third-party service providers

  • Oversight of branch offices and IARs to ensure compliance with policies and procedures

Marketing:

  • Oversight of solicitation arrangements.

  • Prevention of misleading presentations including the website

  • Inaccurate performance advertising

Trading practices:

  • Allocation of soft dollars

  • Best execution

  • Trade Errors

  • Restricted Securities

Disclosures:

  • Accuracy of Form ADV

  • Accuracy of client communications

Advisory fees and valuation:

  • Fee billing process

  • Expense reimbursement policies and procedures

  • Valuation of advisory client assets

Safeguards for client privacy:

  • Reg S-P, Reg S-ID

  • Physical security of client information

  • Electronic security of client information including encryption policies

  • General cybersecurity including access rights and controls

  • Data loss prevention

  • Penetration testing and/or vulnerability scans

  • Vendor management

  • Employee training and incident response

Required books and records

  • Written policies and procedures to make and keep accurate books and records

Safeguarding of client assets

  • Written policies and procedures regarding custody

  • Written policies and procedures regarding safety of client assets

Business continuity plans

  • Maintenance of adequate disaster recovery plan

  • Testing of disaster recovery plans

  • Designation of responsibility for disaster recovery plans

Conclusion

The SEC expects advisors to have policies and procedures customized to each advisor’s unique business and operations. An organized, written annual review process with communication to senior management and regular training of employees can help demonstrate that your firm has a solid annual review, policies and procedures, and a CCO with appropriate knowledge and seniority. Keep the tips and tricks of this article in mind when you are wrapping up your annual review this year!

Katie Mogan https://seccsllc.com/katie-mogan-bio
Previous

2021 RIA Compliance Calendar & Filing Deadlines