On Nov. 19, 2020, the Office of Compliance Inspections and Examinations (OCIE) issued a new Risk Alert focusing on common compliance deficiencies relating to the Advisers Act and Rule 206(4)-7, otherwise known as the Compliance Rule. As a brief refresher, the Compliance Rule requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act. The Compliance Rule does not designate specific elements that must be addressed by advisers in their policies and procedures, and each adviser should adopt policies and procedures that are tailored to the nature of the adviser’s operations. The Compliance Rule mandates that advisers review their policies and procedures, at minimum, annually and the review should consider compliance matters arising during the previous year, any changes in business activities of the adviser or its affiliates, and any changes in the Advisers Act or applicable regulations. Also, while not required by the Compliance Rule, advisers should consider the need for interim reviews in response to compliance related events, changes in business activities, and/or regulatory developments. Finally, the Compliance Rule also stipulates advisers must have a designated chief compliance officer (CCO) to oversee its compliance policies and procedures.
Following are examples of deficiencies or weaknesses identified by OCIE related to the Compliance Rule.
1. Inadequate Compliance Resources. Deficiencies in this area stem from advisers not devoting adequate resources, such as information technology, staff, and training to their compliance programs. Examples of this include: (i) CCOs wearing too many hats or being spread too thin with other professional responsibilities, either in the firm or elsewhere; (ii) a lack of sufficient training or staff to properly execute compliance policies adopted by the adviser, such as performing annual reviews or timely filing Form ADVs; and (iii) instances when advisers had significantly grown in size or complexity but failed to scale their staff or information technology capabilities to meet new demands.
2. Insufficient Authority of CCOs. OCIE found certain CCOs lacked the needed authority within the firm to create and execute a proper compliance program, such as CCOs being restricted from accessing critical information, including trading exception reports and the investment advisory agreements of key clients. In addition, OCIE noted instances of CCOs having limited interaction with senior management resulting in incomplete knowledge of the advisers’ leadership, strategy, and business operations or not being consulted on matters that have potential compliance implications.
3. Annual Review Deficiencies. OCIE references advisers being unable to evidence the performance of annual reviews, failing to identify applicable risks and failing to review key areas of their business, including cybersecurity, the calculation of fees and expense allocations.
4. Implementing Actions Required by Written Policies and Procedures. The Risk Alert also points out instances of advisers failing to implement or carry out requirements in their policies and procedures, such as employee training, reviewing advertising materials, back-testing fee calculations, testing business continuity plans, or reviewing the suitability of investments in client accounts.
5. Maintaining Accurate and Complete Information in Policies and Procedures. OCIE noted advisers having outdated or otherwise inaccurate policies and procedures or “off-the-shelf” policies with information that was either unrelated or not tailored to the advisers’ business operations.
6. Maintaining or Establishing Reasonably Designed Written Policies and Procedures. Finally, OCIE noted examples of advisers relying on informal processes instead of written policies and procedures or using policies of an affiliate, such as a broker-dealer, that were not customized to the business of the adviser.
Even in instances when advisers did have written policies and procedures, OCIE noted a number of specific deficiencies, which primarily occurred in the areas of:
Portfolio management, such as due diligence and oversight of outside managers, investments, and third party managers;
Marketing, including solicitation arrangements or misleading presentations/advertising;
Trading practices, such as soft dollar allocation, best execution, trade errors, and restricted securities;
The accuracy of disclosure, such as Form ADV;
Advisory fees and valuation, including fee billing processes, expense reimbursement, and the valuation of client assets;
Safeguards on client privacy, such as Reg S-P and S-ID, as well as physical and cybersecurity protection of client information, for example penetration testing and/or vulnerability scans, vendor management, and employee training;
Written policies addressing books and records maintenance under Rule 204-2 of the Advisers Act and the custody and safety of client assets; and
Business continuity plans not being tested or that did not contain current information.