On November 19th, the SEC published a Risk Alert highlighting common deficiencies identified by the Office of Compliance Inspections and Examinations (“OCIE”) related to Rule 206(4)-7 (the “Compliance Rule”) of the Investment Advisers Act of 1940 (the “Advisers Act”).
Advisers’ Obligations under the Compliance Rule
The Compliance Rule requires advisers registered with the SEC, prior to providing investment advice, to adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act and the rules thereunder by the adviser and its supervised persons. These policies and procedures must address the adviser’s fiduciary and regulatory obligations and be reviewed at least annually to determine their adequacy and effectiveness. The Compliance Rule also requires registered advisers to designate a Chief Compliance Officer (“CCO”) with sufficient seniority and authority to administer these policies and procedures and compel adherence thereto, if necessary.
Notable Deficiencies Identified by OCIE Staff
OCIE staff commonly observed the following notable deficiencies or weakness in connection with the Compliance Rule:
Inadequate Compliance Resources
Staff observed CCOs with significant other professional responsibilities, either with the adviser or outside firms, leading to insufficient time devoted to their CCO responsibilities. Advisers were also identified that lacked sufficient resources, such as staff, training or information technology, negatively affecting the implementation of their policies and procedures.
Insufficient Authority of CCOs
OCIE staff encountered CCOs lacking sufficient authority to develop and enforce the adviser’s policies and procedures, including CCOs:
- without access to crucial compliance related information, such as advisory agreements and trading exception reports;
- with limited knowledge of the adviser’s leadership, strategy and operations due to limited interaction with senior management; and
- who were not consulted regarding matters with potential compliance implications.
Annual Review Deficiencies
Deficiencies related to an adviser’s required annual review of their written policies and procedures were commonly observed, including advisers that failed to:
- provide evidence that an annual review had occurred;
- identify or review applicable risk areas, such as conflicts and the protection of client assets; and
- review significant areas of their business, such as third-party managers, cybersecurity, the calculation of fees and the allocation of expenses.
Failure to Implement Actions Required by Written Policies and Procedures
Staff encountered numerous advisers with deficiencies related to the implementation of compliance policies and procedures, including those that failed to train employees, review advertising materials, implement procedures in crucial areas (trade errors, conflicts, disclosures, etc.), follow compliance checklists and other processes (backtesting fee calculations, testing continuity plans, etc.), and review client accounts for consistency with client objectives on a periodic basis or required schedule.
Failure to Maintain Accurate and Complete Information in Policies and Procedures
Some advisers were observed with policies and procedures that contained inappropriate or inaccurate information, including off-the-shelf policies inapplicable to the adviser’s operations.
Failure to Maintain or Establish Reasonably Designed Written Policies and Procedures
Advisers were also identified that failed to establish and maintain written policies and procedures at all, as well as those with written policies and procedures that were not reasonably designed to prevent violations of the Advisers Act. Of those that did maintain written policies and procedures, common areas where their policies and procedures were weak or deficient included: portfolio management, marketing, trading practices, disclosures, advisory fees and valuation, client privacy safeguards, required books and records, safeguarding client assets and business continuity plans.
OCIE’s Focus on CCOs
Peter Driscoll, Director of OCIE, also gave a speech on November 19th touching upon the focal points of OCIE’s Risk Alert and highlighting the difficulties faced by CCOs and their staff, especially in light of the COVID-19 pandemic, as well as their importance in minimizing and eliminating deficiencies and weaknesses. He again emphasized the importance of empowering CCOs with sufficient seniority and authority, rather than taking a “check-the-box” approach to the CCO requirement under the Compliance Rule.
Mr. Driscoll touched upon the need for an adviser’s compliance department to be fully integrated into the business and supported by management to be fully effective. Ideally, the CCO would report directly to, or be part of, senior management.
Today, as the country continues to deal with the effects of the COVID-19 pandemic, the Director noted the added difficulty CCOs and their staff face in addressing new COVID-related issues while performing their roles remotely. He closed his remarks with renewed emphasis on the need for these CCOs to have sufficient empowerment, seniority and authority.
Advisers should review their written compliance policies and procedures and the role of their CCO in light of the OCIE staff observations, and remarks by Director Driscoll, mentioned above. To the extent that you believe any of these deficiencies or weakness apply to your firm, appropriate steps should be taken to remedy such deficiencies and ensure policies and procedures are revised or implemented to guard against future issues. If you would like assistance in this process, our investment management practice group is standing by and would be happy to help.
Disclaimer: This summary is provided for educational and informational purposes only and is not legal advice. Any specific questions about these topics should be directed to attorneys Thomas H. Bilodeau III, Scott Stokes, David Glod or Matthew Sweet.