On November 19, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert, OCIE Observations: Investment Adviser Compliance Programs, to provide the industry with insights regarding their findings in their examinations relating to Rule 206(4)-7 under the Investment Advisers Act of 1940 (“Advisers Act”) or the Compliance Rule.

The benefit of this information – the regulator’s perspective as to what other firms have gotten wrong in complying with this rule – is that the industry gets a road map of what they need to pay attention to, review, and address to avoid regulatory issues themselves. It goes without saying that these insights assist firms with Rule 206(4)-7 compliance. But it does more than that — it fundamentally supports compliance with every other investment adviser regulatory obligation.

As a preliminary matter, OCIE notes that the Compliance Rule is not a proscriptive rule that details all necessarily elements of an effective compliance program. Rather, programs need to be tailored to the firm’s business. Fundamentally, OCIE states that the “policies and procedures should be designed to prevent violations from occurring, detect violations that have occurred, and correct promptly any violations that have occurred.” (Emphasis added.)

OCIE calls out six key areas where their examiners observed “notable deficiencies.” None should be a surprise and all are areas that investment advisers should review to ensure their programs are sufficient. The six key deficiencies are:

1. Inadequate compliance resources

• Stretched too thin: Where CCOs have multiple responsibilities either at the firm or with multiple firms, they need to have time to develop their understanding of the regulatory requirements and new developments and be able to keep up with responsibilities.
• Staffing resources inadequate: Both inadequate training and/or insufficient staffing led to delays in complying with requirements, including performing annual reviews, completing and filing ADVs, or timely responding to regulatory requests.
• Failing to keep pace with firm growth: As some firms grew in size and complexity, they did not hire enough staff or invest in information technology to meet increased needs.

2. Insufficient authority of CCOs

• Expected to carry out responsibilities with one hand tied behind their back. OCIE noted instances where CCOs were not given access to critical compliance information and had limited interactions with senior management, which led to limited understanding of the “firm’s leadership, strategy, transactions, and business operations.”

3. Annual review deficiencies

• Documentation and scope failures: OCIE still found instances where firms said that they were doing ongoing or annual reviews but could not provide any evidence of the reviews. Regarding scope failures, OCIE observed instances where advisers failed to identify or review key risk areas that applied to the adviser’s business or simply failed to review significant areas of their business.

4. Implementing actions required by written procedures

• “You said you were going to do it, but you didn’t do it:” This is an area that should not trip up firms but it still does. OCIE observed instances where advisers did not follow their policies and procedures. (The alert details five such instances, but the cited examples are not important in and of themselves; what is important is actually implementing your policies and procedures.) While not noted by OCIE in this particular Risk Alert, OCIE has said that as situations warrant, for example, during business adjustments in light of the COVID-19 pandemic, if a specific policy or procedure needs to be modified, document the decision.[1]

5. Maintaining accurate and complete information in policies and procedures

• Make sure your policies and procedures are up-to-date and accurate: OCIE observed instances where an adviser’s policies and procedures did not reflect its current operations or were not accurate. This includes when using off-the-shelf policies, ensuring that they are then tailored to the firm’s business.

6. Maintaining or establishing reasonably designed written policies and procedures

• Ensure that policies and procedures are written and are tailored to the advisor’s business: OCIE observed some firms that did not have formal processes to guide the firm but instead relied on “cursory or informal processes” or relied on procedures of a non-adviser affiliate.
• Ensure that the adviser’s policies and procedures address key risk areas: No surprises here. The nine areas that OCIE calls out in their observations of deficiencies are all areas that have been regulatory hot buttons in recent years. These include: portfolio management, marketing, trading practices, disclosures, advisory fees and evaluations, client privacy safeguards, books and records, safeguarding client assets, and business continuity plans.

Key Take-Aways:

1. A “check the box” approach to developing and implementing your compliance program is never a good thing. As OCIE states at the outset of the Risk Alert, the compliance program must be “designed to prevent violations from occurring, detect violations that have occurred, and correct promptly any violations that have occurred.” In developing its compliance program, the adviser should ensure that it is tailored to the adviser’s business. Further, advisers should ensure that they are fully implementing the written compliance program and addressing any identified deficiencies.
2. It is not a “one and done” exercise. Once an adviser has done the hard work of developing and implementing their compliance program, it is important to undertake reviews to ensure that business or regulatory changes are evaluated and the program appropriately updated. Under Rule 206(4)-7, advisers are required to undertake an annual review. As OCIE notes in their Risk Alert, interim reviews are a good practice to ensure timely response to “significant compliance events, changes in business arrangements, and regulatory developments.”
3. Adopt a true “cost/benefit” approach. Compliance is not a profit center. Period. But if that reality causes an adviser to place compliance needs and focus on the back burner or devote insufficient resources, attention, and support to compliance, the adviser may incur significant costs on the back end. Costs can take a variety of different forms, including restitution to customers for losses incurred because of regulatory failures, fines to the regulators for violations, suspension of principals and investment adviser representatives, and reputational hits when regulators bring enforcement actions or there is litigation resulting from violations and customer harm.
4. Document, document, document: The informal comment one often hears from regulators is that “If it is not documented, it didn’t happen,” While that may sound harsh, it highlights the importance of documentation. OCIE notes in the Risk Alert several areas where documentation is key, including the development, implementation, and execution of the advisor’s compliance program.
5. Yes, it is a good idea to document those regulatory obligations that do not apply to the adviser’s business. In another nuance to the recommendation to tailor the program and document decisions made around creation, implementation, and execution, a best practice is to keep a list of laws, rules and regulations that do not currently apply to the firm’s business to demonstrate that the adviser has done a thorough review of applicable regulatory requirements. This list should be periodically reexamined, particularly in light of any changes to the adviser’s business.
6. State registered investment advisers. OCIE’s Risk Alert is specific to SEC registered investment advisers. State registered investment advisers, however, should also keep these key focus areas in mind to ensure that they have compliance programs that will stand up to regulatory scrutiny.

   ---

   [1]Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers (Aug. 12, 2020), https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf.