The staff of the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (staff) issued a Risk Alert on November 19, 2020 (Risk Alert), related to OCIE’s observations regarding deficiencies in investment adviser compliance programs.¹ The Risk Alert is intended to share OCIE’s observations on “notable compliance issues” found in recent examinations of SEC-registered investment advisers (advisers) related to Rule 206(4)-7 (Compliance Rule) under the Investment Advisers Act of 1940, which issues are “among the most common cited by OCIE” according to the Risk Alert. The Risk Alert groups the staff’s observations into six categories: inadequate compliance resources; insufficient authority of Chief Compliance Officers (CCOs); annual review deficiencies; implementing actions required by written policies and procedures; maintaining accurate and complete information in policies and procedures; and maintaining or establishing reasonably designed written policies and procedures. The Risk Alert emphasizes the staff’s view that an “adviser’s CCO should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm.”

The Risk Alert should be considered in light of a companion speech delivered on the same day by Peter Driscoll, Director of OCIE.² In his remarks, Director Driscoll highlighted the importance of empowering CCOs, noting “[a]s the Commission stated, CCOs should be empowered, senior and have authority, but CCOs should not and cannot do it alone and should not and cannot be responsible for all compliance failures,” and emphasizing that “[t]hese three words matter” but empowerment is the key. In the Director’s view, a CCO “must be integral to an adviser’s business and part of its senior leadership.” Director Driscoll continued that CCOs “are on the front lines to help” registrants meet their obligations under the federal securities laws, and that OCIE sees its role similarly because compliance and examiners are “two-sides of the same coin,” each critical to investor protection.

Compliance Rule

The Compliance Rule requires an adviser to: (i) adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules; (ii) review these policies and procedures at least annually for their adequacy and effectiveness; and (iii) designate a CCO to administer the compliance program. While the Compliance Rule imposes an annual review requirement, the Risk Alert recommends that advisers consider more frequent reviews in cases of: significant compliance events; changes to the business; or regulatory developments. Director Driscoll explained that “the Compliance Rule touches on all of the critical areas of being an adviser.” In recognition of the “new normal” as a result of the pandemic, Director Driscoll acknowledged that many advisers have “adapt[ed] compliance with the existing policies and procedures and law to the new circumstances.”

Risk Alert

Inadequate Compliance Resources

The staff observed that some advisers did not dedicate adequate resources to their compliance programs. For example, certain CCOs had “numerous other professional responsibilities, either elsewhere with the adviser or with outside firms,” such that the CCO could not devote adequate time to developing knowledge of the Advisers Act or overseeing the adviser’s compliance program. The staff highlighted instances where the compliance function was under-resourced or inadequately trained and staffed, which hindered implementation of the adviser’s compliance program. The staff also described advisers that “significantly” grew in size or complexity, but did not hire compliance staff or use adequate information technology to continue to implement and tailor their compliance programs.

Insufficient Authority of CCOs

The staff observed that some CCOs lacked authority to craft and implement compliance policies and procedures. For example, the staff noted instances where advisers prohibited their CCOs from viewing key compliance information, such as trading exception reports. The staff also described instances where CCOs had limited interaction with senior management, which restricted the CCO’s knowledge of the firm’s leadership, operations and strategies, and where senior management did not consult the CCO in matters with potential compliance implications.

Annual Review Deficiencies

The staff observed that some advisers could not provide proof that annual reviews had been performed or did not identify significant existing issues. In particular, the staff found that certain advisers’ annual reviews did not properly identify or review key risk areas for the advisory business (e.g., conflicts, custody), or did not review significant areas of their advisory business (e.g., third-party managers, cybersecurity, fee calculation, allocation of expenses).

Implementing Actions Required by Written Policies and Procedures

The staff observed advisers that did not take actions required by their written policies and procedures. For example, even though particular activities were required as a matter of their firms’ written policies, certain advisers did not: train employees; implement procedures; or perform specific tasks as set forth in their own compliance policies and procedures (e.g., reviewing advertising materials, following compliance checklists, reviewing client accounts).

Maintaining Accurate and Complete Information in Policies and Procedures

The staff observed that some advisers had outdated policies and procedures, or had policies and procedures that did not accurately describe the adviser.

Maintaining or Establishing Reasonably Designed Written Policies and Procedures

The staff observed that some advisers had no written compliance policies and procedures, or had inadequate policies and procedures that were not reasonably tailored to the adviser (e.g., relied on “cursory or informal processes” or used an affiliate’s policies). For example, where advisers maintained written policies and procedures, the staff noted “deficiencies or weaknesses” in the following areas:

• Portfolio management: Shortcomings related to due diligence and oversight of third parties (outside managers and service providers) and investments, as well as with respect to investment restrictions imposed by clients or regulators and the need for additional oversight of branch offices and investment advisory representatives.
• Marketing: Deficiencies in oversight of solicitation arrangements and performance advertising, as well as in prevention of the use of misleading marketing materials (including on the firm’s website).
• Trading practices: Deficiencies in the implementation of policies related to: soft dollar allocation; best execution; trade errors; and restricted securities.
• Disclosures: Inaccurate information in Form ADV disclosures and client communications.
• Advisory fees and valuation: Shortcomings in fee billing processes, expense reimbursement policies and asset valuation.
• Safeguards for client privacy: Deficiencies in physical and electronic security of client information, general cybersecurity (e.g., limiting access rights, preventing data loss, undergoing system testing, employee training), as well as compliance with Regulations S-P and S‑ID.³ 
• Required books and records: Weaknesses in written policies and procedures to create and maintain accurate books and records.
• Safeguarding of client assets: Deficiencies in written policies and procedures regarding custody of client assets.
• Business continuity plans: Lack of testing of business continuity plans, or improper designation of responsibility for those plans.

Implications for Advisers

In his speech, Director Driscoll emphasized that risk alerts are a “significant tool” that OCIE uses to communicate its priorities and to promote compliance. The November 19 Risk Alert highlights that compliance-related deficiencies are most common in adviser examinations and explains that “many of the advisers modified their written policies and procedures to address the issues identified by OCIE staff.” Echoing Director Driscoll’s remarks, the Risk Alert emphasizes the importance of empowering and integrating CCOs into senior management and key decision-making affecting the advisory business. The Risk Alert also underscores the necessity of providing adequate resources and staffing to perform the compliance function; advisers are reminded of the importance of supporting their CCOs by ensuring they can devote sufficient time to become knowledgeable about the Advisers Act and, as expressed by Director Driscoll, making them an “essential component of running an advisory or fund business.” Accordingly, investment advisers may want to consider the items identified in the Risk Alert, as applicable to them, in reviewing the adequacy and implementation of their compliance policies and procedures.