On November 19, 2020 the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations released a risk alert relating to deficiencies in registered investment adviser’s compliance program. Under Rule 206(4)-7 (the “Compliance Rule”) under the Investment Advisers Act of 1940 (“Advisers Act”), it is unlawful for a registered investment adviser to provide investment advice unless it has adopted and implemented written policies and procedures reasonably designed to prevent violations of the Advisers Act and the rules thereunder by the adviser or any of its supervised persons. While the Compliance Rule doesn’t provide for any specific policies that must be adopted, the Compliance Rule requires advisers to consider their fiduciary and regulatory obligations under the Advisers Act and to formalize policies and procedures to address them. The SEC noted that deficiencies related to the Compliance Rule have been among the most common cited by the OCIE.
The Risk Alert provides an overview of notable issues identified by the OCIE and is often a roadmap to issues that the OCIE will be reviewing in the upcoming year.
While for many larger investment advisers there can be difficult and thorny compliance issues, the risk alert seems to focus on what I think are mostly unforced errors involving some fairly basic blocking and tackling:
- Prioritize your Compliance Program. The risk alert identified numerous issues where registered investment advisers did not allocate sufficient resources, or grant sufficient access to their compliance staff in order for the compliance team to do their job. It also raised issues where the CCO did not have sufficient time to do their job. Make sure your CCO isn’t wearing too many hats (often times, also acting as the GC to the firm), and can focus his or her attention on fulfilling their compliance functions. This also means if you are growing significantly in size or complexity as a firm, consider whether you need to add additional compliance staff or information technology to support the team. Make sure that the CCO has access to senior management and has a complete understanding of the firm and its risk profile.
- Do your Annual Review and Maintain a Written Record. Yes, it is mandatory. And yes, you need to keep records that you did it. The risk alert observed numerous failures in this area.
- Do what you say your going to do. A firm’s policies and procedures exist to help the firm be in compliance with the law. If the firm adopts a policy – make sure you follow it. The OCIE risk alert noted numerous firms adopted policies, but didn’t follow them.
The risk alert also provided a brief overview of a number of more substantive failures of firm’s policies and procedures. These fell across a number of areas, including identifying issues raised in prior risk alerts. These included failures of compliance policies and procedures to deal with various portfolio management issues, marketing issues, trading practices, disclosures (including the lack of accuracy of Form ADV), advisory fees and valuation issues, safeguards for client privacy (Regulation S-P and S-ID, Cybersecurity), books and records, Custody rule issues, and issues with firm’s business continuity plans.
The full alert is available here: https://www.sec.gov/files/Risk%20Alert%20IA%20Compliance%20Programs_0.pdf
As always, please reach out if you have any questions.