Main Contributor: Elizabeth Cope, CPA, CSCP, CIPM, CEO & Lead Consultant

Background

In February of 2004, the SEC adopted Rule 206(4)-7 (the “Rule”) that required advisors (and investment companies) to adopt and implement written policies and procedures that are reasonably designed to prevent violations of the federal securities law, review those policies and procedures annually for effectiveness and adequacy, and designate a Chief Compliance Office (“CCO”) to be responsible for administering the policies and procedures.  

In the Rule’s release, the SEC clarified that the CCO must be competent, knowledgeable regarding the Advisers Act of 1940, and empowered with full responsibility and authority to develop and enforce appropriate policies for the firm.

When this Rule was first adopted in 2004, the CCO position was more of a part time role. But over the years, the sophistication of the SEC, the policy requirements, and annual review have expanded and therefore, so have the responsibilities of the CCO. In my opinion, even as a full-time role, it is one that needs adequate support.

Key Roles of the CCO

The CCO’s responsibilities are as follows:

1. Education: The CCO must demonstrate their education and propensity to stay abreast of regulatory requirements and developments. In addition to being aware of new rules and regulations, the CCO must pay attention to risk alerts and enforcement cases. The regulators often interpret the rules through exam and enforcement cases setting precedence. CCO’s must be aware of these findings and, where applicable, adopt procedures to address the concerns of the regulators. Attending compliance conferences, local roundtables, webinars, and SEC outreach programs are all ways the CCO can stay educated.

2. Risk and Conflict Management: The CCO must identify, mitigate, and review risks and conflicts of the firm on an ongoing basis. Not only is this a process that must be documented and substantiated with the staff during an exam, but this process also drives the results of the firm’s policies and procedures and disclosure documents. Effective communication throughout the firm is a critical tool in order for this process to be effective for the CCO.

3. Policies and Procedures: Draft, update, and maintain written policies and procedures, including a Code of Ethics that is in compliance with Rule 204(A)-1. SCS expects these to be reviewed no less than annually and evolve with the firm. Most importantly, they should be tailored to the firm’s actual practices and not “off-the-shelf.”

4. Agreements: Draft, update, and maintain agreements that meet the requirements of the Advisers Act and are consistent with actual practice and other regulatory disclosures.

5. Registration: Maintain the appropriate filings for the Firm’s registration, specifically the Form ADV and, where applicable, U4s for investment advisory representatives. These must be filed timely and they must accurately portray the firm’s fees, services, and conflicts of interest. Furthermore, the CCO must monitor state requirements for proper and timely notice filings.

6. Regulatory Filings: Maintain and file all applicable regulatory filings timely. Example filings can include form 13H, 13F, 13D, 13G, Form PF, Form D, Blue Sky and Form N-PX.

7. Disclosures: In addition to the ADV Part 1 that must be filed for the firm’s registration there is also Form ADV part 2A, ADV part 2B, Form CRS (for retail clients) and the Privacy Notice (for customer accounts). All of these documents must be reviewed regularly against the firm’s agreements, policies and procedures, marketing materials, and actual practice to ensure they adequately and accurately disclose the firm’s fees, services, and conflicts. These documents must always be current and provided to clients upon engagement and, under certain circumstances, annually or more frequently. To do this effectively, the CCO must be able to have clear communication lines with the entire team at the firm to identify all disclosable conflicts and a culture that promotes communication to the CCO on a regular and proactive basis. This goes beyond compliance and speaks to the culture and communication habits of the firm, but is nonetheless a very important factor for a healthy and effective compliance program.

8. Annual Review: No less than annually, the CCO must measure the effectiveness of the firm’s policies and procedures. The SEC expects a robust audit program that tests and reviews the applicable functions of the firm and documents the results. Further, any violations or inadequacies identified must be properly communicated to necessary personnel with changes implemented timely. This is where the empowerment quality is essential in the CCO. They need to be in a position where change can be made when needed.

9. Exams: Your firm will get examined and you want to be prepared for it. During an exam, the regulators expect to coordinate with the CCO. The CCO needs to be prepared to be organized, timely with responses, and friendly with the staff in order to ensure a smooth exam experience. Generally, the staff requests a lot of documents that must produced in a short period of time (anywhere from 1 to 2 weeks is what I typically see). Having an organized record keeping process is critical.

10. Advertisements: Although not explicitly required by the SEC for the CCO to monitor and review all advertisements, it is expected, and, in my opinion, necessary, as this is your firm’s greatest exposure. This includes not only printed materials, but also the firm’s website, social media accounts, and potential social media accounts of individuals at your firm depending on what is permitted. The CCO must be able to substantiate reviews of advertisements. During exams, I have seen the SEC request support for the reviews of specific materials. Further, with the re-write of the Marketing Rule 206(4)-1, the SEC has made this a focus area.

11. Cybersecurity: As a fiduciary you must also place the interest of your clients first and that includes protecting their information from unauthorized threats. The CCO is expected to maintain written policies on how the firm protects its clients and the specific controls in place. This includes an understanding of the firm’s IT stack, where client information is being stored, and an awareness of the potential risks. Furthermore, the CCO is expected to conduct ongoing reviews and/or testing and train staff on their requirements to further protect the firm and its clients.

12. Business Continuity: The CCO must draft, maintain, and update the firm’s business continuity plan to address the necessary steps in the event of a disaster and/or business disruption, taking into consideration how the firm is set up to work. Additionally, the CCO must make sure this plan is testing for adequacy and effectiveness and that employees are trained on what to do in the event of a disaster.

13. Books and Records: As mentioned in previous responsibilities, the CCO must maintain records as required by Rule 204-2 and substantiate everything the CCO does. These records must be organized to be timely retrieved when necessary. This also includes the use of off-channel communication, for which the SEC has set precedence through enforcement. The regulators expect the firm to maintain effective policies and monitoring procedures to make sure all communications used for business related purposes (both internally and externally) are properly archived and reviewed.

14. Trading and Best Execution: As part of the firm’s annual review, the CCO must make sure that there is a regular and consistent review of the firm’s trading practices and a documented review of the firm’s efforts to obtain best execution, taking into account both qualitative and quantitative factors. This is required whether you utilize one broker or many.

15. Custody: The CCO must be aware of what constitutes custody and have a process to regularly review and re-review the firm’s practices to determine if the firm has custody, and further, if a surprise custody exam or financial statement audit (for private funds) is required. Examples of custody include but are not limited to trustee services, bill pay, activities of related parties that your advisory clients utilize, private funds, standing letters of authorization, having access to banking and/or credit card information.

16. Due Diligence: There is a rule proposal that has yet to be adopted, but Regulation S-P, for which amendments were adopted, does specify oversight of your vendors to ensure they are meeting their contractual obligations, protecting client information, and have plans in place in the event of a disaster. The CCO must regularly review and monitor its use of service providers and therefore have a clear channel of communication within the firm to be made aware of new vendors being added.

17. Training: The SEC expects the CCO to provide regular training and update the staff on the firm’s policies and procedures and regulatory requirements. This must be documented to substantiate that all employees attended and/or viewed a recording of the training.

These are the critical areas, but within each are more details. There are areas that I didn’t address such as compliance with other regulatory agencies such as the Department of Labor, Federal Trade Commission Department of Treasury, and potential foreign regulations if the Adviser is doing business outside of the US.

Support for the CCO

I personally don’t see how a CCO can be expected to effectively adhere to these responsibilities without proper support. Support can take many forms and can include internal staff to assist and delegate tasks to, an outside compliance consultant, legal counsel, software solutions, and technology. It’s up to the CCO to be able to effectively communicate their needs to the individuals responsible for approving the use of such support.

CCO Responsibility

It is important to understand that even with delegation and the use of third parties, the CCO is ultimately responsible for the firm’s compliance program. Therefore, it is not wise to simply delegate. You must first understand the task before delegation and follow up to confirm your understanding.

Conclusion

The role of the Chief Compliance Officer has evolved into a pivotal position within financial advisory firms, especially following the SEC's adoption of Rule 206(4)-7. This rule not only emphasizes the necessity for comprehensive written policies and procedures but also underscores the need for a knowledgeable and empowered CCO to oversee their implementation and effectiveness. As outlined, the responsibilities of the CCO are extensive, encompassing education, risk management, regulatory compliance, and ongoing communication with all levels of the organization.

Given the complexity and breadth of these duties, it is crucial that CCOs receive adequate support—be it through dedicated staff, external consultants, or advanced technology—to effectively fulfill their roles. While delegation can alleviate some burdens, ultimate accountability rests with the CCO, making it imperative to maintain a thorough understanding of all compliance matters. As firms navigate an increasingly intricate regulatory landscape, the commitment to fostering a robust compliance culture led by a well-resourced and empowered CCO will be essential for mitigating risks and ensuring adherence to federal securities laws. The path forward necessitates not only recognizing the importance of the CCO's role but also actively investing in the resources required to support their success.