The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a risk alert on November 19, 2020, which provided a summary of notable compliance problems identified by examiners. OCIE’s discussion of compliance deficiencies and weaknesses can help registered investment advisors (“RIAs”) to assess their own supervisory, compliance and risk management systems in order to revise and strengthen them.
Rule 206(4)-7 under the Investment Advisers Act of 1940 is commonly known as the Compliance Rule. Pursuant to that rule, it is unlawful for an RIA to provide investment advice unless the firm adopts and implements written policies and procedures that are reasonably designed to prevent violations of the Investment Advisers Act and its rules. Policies and procedures should also be designed to detect and correct violations that have already occurred.
The risk alert can be reviewed at https://www.sec.gov/files/Risk%20Alert%20IA%20Compliance%20Programs.pdf.
OCIE’s observations regarding the Compliance Rule
According to the risk alert, examiners found the following deficiencies or weaknesses in relation to the Compliance Rule:
Inadequate compliance resources. RIAs did not provide adequate resources to their compliance programs in areas such as information technology, staffing and training. It appeared to examiners that certain chief compliance officers (“CCOs”) did not have the time they needed to increase their knowledge of the Investment Advisers Act or fulfill their responsibilities. In some instances, CCOs had to handle many professional responsibilities other than compliance.
Insufficient authority of CCOs. Examiners noted that certain CCOs did not have the authority to develop and enforce appropriate policies and procedures for the firm. Certain RIAs restricted their CCOs from accessing critical compliance information, such as trading exception reports and investment advisory agreements with key clients. Some CCOs had limited interaction with senior management, which meant that they had insufficient knowledge regarding the RIA’s leadership, strategy, transactions, and business operations.
Annual review deficiencies. Examiners found that in some instances, RIAs were unable to prove that they performed an annual review. In other cases, annual reviews failed to reveal significant compliance or regulatory problems that existed within the firm. Certain advisors claimed to have performed limited annual reviews but failed to identify or review key risk areas, such as conflicts of interest and protection of clients’ assets. RIAs failed to review policies and procedures governing significant business areas, such as their interaction with third-party managers, cybersecurity, fee calculations, and allocation of expenses.
Implementing actions required by written policies and procedures. Examiners observed that some RIAs did not implement or perform actions required by their written policies and procedures. For example, the RIA did not review advertisements in accordance with their policies and procedures.
- Maintaining accurate and complete information in policies and procedures. Examiners encountered RIAs whose policies and procedures contained outdated or inaccurate information about the advisor. Certain firms used off-the-shelf policies and procedures that contained unrelated or incomplete information.
- Maintaining or establishing reasonably designed written policies and procedures. Examiners observed that some RIAs did not establish policies and procedures designed to prevent violations of the Investment Advisers Act. Certain advisors relied on cursory or informal processes instead of maintaining written policies and procedures.
Specific deficiencies or weaknesses found by examiners
At firms where RIAs maintained written policies and procedures, examiners observed deficiencies or weaknesses in the following areas:
- Due diligence and oversight of outside managers
- Monitoring compliance with clients’ investment and tax planning strategies
- Oversight of third-party service providers
- Due diligence and oversight of investments, such as alternative assets
- Oversight of branch offices and investment advisor representatives to ensure they are complying with the RIA’s policies and procedures
- Compliance with regulatory requirements and clients’ investment restrictions
- Adherence to investment advisory contracts
- Allocation of soft dollars
- Best execution
- Trade errors
- Restricted securities
- Accuracy of Form ADV
- Accuracy of communications with clients
Advisory fees and valuation
- Fee billing processes, including how fees are calculated, tested, and monitored for accuracy
- Expense reimbursement policies and procedures
- Valuation of advisory clients’ assets
Safeguards for client privacy
- Regulation S-P
- Regulation S-ID
- Physical security of client information
- Electronic security of clients’ information, including encryption policies
- General cybersecurity, including access rights and controls, data loss prevention, penetration testing, vulnerability scans, vendor management, employee training and incident response plans
Required books and records
- Written policies and procedures for creating and retaining accurate books and records as required by Rule 204-2 under the Investment Advisers Act
Safeguarding of clients’ assets
- Written policies and procedures regarding custody and safeguarding of clients’ assets
Business continuity plans (“BCPs”)
- Maintenance of adequate disaster recovery plans that are tested, include contact information, and designate responsibility for BCP actions
- Oversight of solicitation arrangements
- Prevention of the use of misleading marketing presentations and website content
- Oversight of the use and accuracy of performance advertising
RIAs should not incorporate superfluous policies and procedures into their compliance manual. For instance, a firm does not need policies and procedures relating to solicitors or performance advertising if they don’t use them in their marketing efforts.
The Compliance Rule requires RIAs to consider their fiduciary and regulatory obligations and to implement policies and procedures to address them. Advisors’ policies and procedures must take the firm’s operations and business model into consideration as they design their compliance program.
When examiners identify deficiencies in an RIA’s compliance program, they expect the firm to address them. The failure to do so is likely to be viewed as a recidivist violation, which might lead to an enforcement action being brought against the investment advisor.