A Recent OCIE Risk Alert points out “Notable Compliance Issues” relating to the Compliance Rule.
Last week, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert, the 9th Risk Alert issued this year. Titled “OCIE Observations: Investment Adviser Compliance Programs”, the Risk Alert provides examples of deficiencies related to the Compliance Rule (206(4)-7), which OCIE finds are common among examined investment advisers.
You may remember that the Compliance Rule says it is unlawful for an RIA to provide investment advice unless the adviser’s operations are in compliance with the Compliance Rule. Although the text of the Compliance Rule is short, its requirements are comprehensive:
· Adopt and implement written policies and procedures reasonably designed to prevent violations by the Firm and its supervised persons;
· Perform an Annual Review; and
· Designate a person as your CCO.
IA Release IA-2204 released in connection with the Compliance Rule provides more detailed guidance.
How Were Investment Adviser’s Compliance programs Insufficient?
In the November 19 Risk Alert, OCIE pointed out deficiencies and weaknesses identified such as:
Inadequate compliance resources regarding personnel, training, and information technology;
Insufficient authority of CCOs, who are not consulted with or supported by management to enable an effective compliance program;
Annual Review deficiencies, including lack of documentation, consideration of key risks and/or businesses and changes to business or operations; and
Written Policies and Procedures which were insufficient, incomplete, inaccurate, or not updated, not actually implemented and some that didn’t even apply to the adviser.
The Risk Alert lists specific certain areas where the written policies were deficient, or not implemented –
· Portfolio Management;
· Trading practices;
· Disclosures; and
· Fees and valuation.
OCIE’s observations indicate that some advisers designate as the Chief Compliance Officer individuals that have significant other responsibilities, and therefore they are tempted to utilize off-the-shelf forms, checklists, policies, and procedures. The Risk Alert refers to more than 6 other Risk Alerts issued by OCIE, all of which describe Investment Adviser Compliance Deficiencies, and most of which were issued since 2017.
OCIE’s 2020 Examination Program Priorities report indicates OCIE’s focus on Investment Adviser compliance is growing, adding staff, technology, and data analytics. In 2019 OCIE published eight risk alerts, which OCIE stated represented the most risk alerts in a year – In 2020 OCIE has already published nine and the year is not over. In general, advisers should expect to be examined during their first year of operations as an SEC registered adviser, and once every five years after that. If your last examination was more than five years ago, be prepared.
What Should Investment Advisers and their CCOs Do to Prepare for the Next SEC Audit?
The good news is that OCIE’s Risk Alerts are instructive for advisers that are willing devote resources to compliance to be prepared for their next examination. OCIE’s continued engagement with the industry is fair warning for advisers of what to expect from their next examination.
Advisers should read OCIE’s recent Risk Alerts, considering their own operations, risks and compliance programs. Some high level steps Advisers and CCOs should take :
·Evaluate whether your CCO has the time, resources and skills to create, implement and monitor an effective compliance program.
Provide additional resources as necessary.
Create a “tone at the top” to demonstrate that compliance is valued and a priority.
o Provide periodic training to your employees and education to your CCO.
o address all applicable sections and rules under the Investment Advisers Act;
o address other applicable regulations, such as Regulation S-P or S-ID;
o are sufficiently tailored to your firm’s businesses and operations;
o are updated for any changes in the firm, its business and operations;
o are updated to manage compliance risks particular to 2020, including cybersecurity, and increased surveillance for employees working remotely; and
o have been adopted and implemented throughout your firm. (Written policies that are not followed are a frequently observed deficiency.)
Create a Risk Matrix that identifies risks particular to your firm and its operations and re-evaluate in light of 2020 changes to operations. Consider how to mitigate risks.
Ensure that top management is aware of risks and compliance issues and has allocated sufficient resources for 2021.
Perform a conflict inventory and be sure to consider any changes to your firm or business. Make sure conflicts of interest are adequately disclosed on the Form CRS and in the Brochure.
Review all disclosures on Form ADV and Form CRS for accuracy and completeness.
Follow up with employees who are not meeting their compliance obligations. Investigate automated compliance providers for employee reporting, if applicable.
Make sure compliance policies are sufficiently tested, testing is documented, and any issues are addressed (and documented).
Seek assistance from outside counsel if needed.
You can read the full Risk Alert here.