On Nov. 19, 2020, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) issued a Risk Alert addressing the most common issues identified in recent examinations. The Risk Alert focuses on deficiencies related to Investment Advisers Act of 1940 Rule 206(4)-7 (Compliance Rule). Compliance Rule deficiencies are among the most regularly cited by OCIE regarding investment advisers, and the Risk Alert identifies six areas in which these deficiencies are most often found. Despite the pandemic, OCIE conducted 2,950 examinations in FY 2020, and more than 20% of Enforcement Division actions taken this year were against investment advisers.
Administrative inadequacies regarding compliance resources. OCIE inspections have identified instances where advisers did not devote enough IT, staff, training, and other assets to their compliance programs. Of particular concern are overburdened chief compliance officers (CCOs) who are unable to devote adequate time to their compliance programs, a situation that can arise when CCOs wear multiple hats and perform an array of duties, or situations where an advisory firm fails to grow its compliance program to address growth of the firm or increases in the size or complexity of services offered by the firm. Both firm management and CCOs must be aware of growth in these areas that may require action to assure that the compliance program is effective.
CCO authority. OCIE is concerned that advisory firms may designate CCOs who do not possess proper authority to access required information or are limited in their interactions with both C-suite and regular employees, especially when matters with potential compliance implications are present. When senior management identifies a compliance issue, it must assure that the CCO is made aware of the issue and participates in addressing the concerns raised.
OCIE Director Peter Driscoll echoed these concerns in recent public remarks. While recognizing the difficult role of CCOs, he stated that the words “empowerment, seniority, and authority” are key to the position and its success. A simple “check-the-box” approach is ineffective and will be quickly noticed during an OCIE examination, as will be the CCO’s resource allocation and position within the organization.
In addition to providing CCOs with the proper resources, advisory firms must have senior management committed to CCO success by vesting the CCO with authority and seniority sufficient to properly carry out their responsibilities. Further, firms may consider reliable ways for CCOs and the organization in general to account for changes in growth or complexity of operations and adjust their compliance programs accordingly. If a new investment approach or technique is under consideration, the CCO should be involved at a stage where he or she will be able to identify risks and develop appropriate oversight and controls.
The remaining four areas discussed in the Risk Alert address administrative annual review deficiencies and problems regarding written policies and procedures. OCIE notes that the rule calls for an annual review of compliance policies and procedures to assure that they remain current and address new issues. OCIE is concerned that some advisers could not demonstrate that annual reviews were conducted or, if such reviews were conducted, that they properly identified significant compliance or regulatory problems. Advisory firms should consider regular discussions with experienced legal counsel on the need to document all actions undertaken to support the compliance process. Advisers must recognize that the SEC is skeptical that actions have occurred if there is no documentation confirming the action. Advisers should properly record and document compliance measures and actions as they occur. Many of the deficiencies the OCIE notes may not result from a failure on the part of the adviser to carry out compliance measures, but rather from an inability to prove that they were carried out. The small administrative burden of documenting such actions when they occur is much less costly in terms of time and resources than any remedial actions that would need to be taken during an examination. Whether a review is accomplished as a single year-end project or as an ongoing process throughout the year, it is critical to memorialize in some way, such as a memo to the file or to the compliance team that the review has occurred, what was found, and what further action, if any, is needed.
As for written policy and procedures, OCIE has identified problems with advisers not implementing the actions called for by the compliance program, incomplete or inaccurate information, and maintenance and design. Examples of shortcomings in these areas include failures to train employees, failures to follow checklists or other processes, the use of outdated or inaccurate information, and the use of informal or cursory policies and procedures instead of written ones. Areas where policy and procedure deficiencies occurred include portfolio management, marketing, trading practices, disclosures, and business continuity plans.
When an advisory firm is documenting the annual review, it may address the specific risks and aspects of the adviser’s business. In addition to being specific in annual reviews, advisers may wish to be specific in creating bespoke policies and procedures that fit with their business model as opposed to relying on off-the-shelf, one-size-fits all approaches. Furthermore, an advisory firm that adopts a generic compliance manual for its own use should be extremely careful to assure that it tailors the manual to its own business; it must take particular care to assure it understands and implements each policy or process dictated by the manual. The SEC often identifies requirements set forth in a manual that have not been carried out, and does not accept the explanation that it really did not apply to the firm. If you have a requirement, you should meet it. If it does not apply, it should be removed.