SEC Issues Risk Alert Identifying 6 Areas of Deficiencies in Investment Adviser Compliance Programs
The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert on November 19 providing an overview of notable compliance violations found during examinations relating to the Compliance Rule (Rule 206(4)-7 under the Investment Advisers Act of 1940). The Compliance Rule requires, among other things, that investment advisers (advisers) adopt policies and procedures reasonably designed to address compliance risks for their businesses, review their compliance policies at least annually to determine their adequacy and effectiveness, and appoint a knowledgeable and sufficiently empowered Chief Compliance Officer (CCO) to oversee the implementation of these policies.
OCIE identified several issues in its examinations with respect to these areas. The deficiencies were grouped into six categories, with the most notable findings summarized below:
Inadequate Compliance Resources
- CCOs had other professional responsibilities and did not have adequate time to devote to the compliance function.
- Compliance staff did not have adequate resources such as staff, technology, and training to implement an effective compliance program.
- Advisers had grown in size and complexity but had not added additional compliance resources or technology to support their programs.
Insufficient Authority of CCOs
- Advisers restricted CCOs from accessing critical information.
- CCOs had limited interaction with senior management and therefore had a limited view of the business.
- CCOs were not consulted on matters with potential compliance implications.
Annual Review Deficiencies
- Advisers could not provide adequate documentation to demonstrate that they had conducted an annual compliance review.
- Advisers failed to identify key risk areas applicable to their businesses.
- Advisers failed to review significant areas of their business, such as policies and procedures surrounding the oversight and review of third-party managers, cybersecurity, and the calculation of fees and allocation of expenses.
Implementing Actions Required by Written Policies and Procedures
- Advisers did not follow their own policies procedures with respect to various areas including training of staff, review of advertising materials, and periodically reviewing client accounts.
- Advisers did not have oversight or check for accuracy in disclosures or performance used in advertising.
Maintaining Accurate and Complete Information in Policies and Procedures
- Advisers had inadequate policies and procedures, including “off-the-shelf” policies with unrelated or incomplete information.
Maintaining or Establishing Reasonably Designed Written Policies and Procedures
- Advisers failed to establish, implement, or appropriately tailor policies and procedures in areas that were applicable to their firms.
- Weaknesses and deficiencies were also found across due diligence processes, third-party oversight, marketing, surveillance of trading practices, cybersecurity, and client safeguards for privacy.
- Advisers also had not tested their Business Continuity Plans (BCP) and did not update their BCPs to reflect new contacts and responsibilities for each area.
The Compliance Rule does not identify specific requirements in many of these areas, and much is left up to the discretion of advisers to determine what is reasonable based on the nature of their businesses. However, with this alert, the OCIE staff is sending a strong message that many firms are not devoting sufficient time and resources in these areas.
Advisers should take a thorough look at their practices and programs in light of this alert and look to enhance their compliance processes where necessary. Specifically, advisers should:
- Prepare documentation for annual reviews and testing
- Review their current staffing and technology needs to ensure they meet the needs of their firm
- Revisit their current policies, procedures, and checklists with a focus on oversight, trading, marketing, and books and records
- Assess their current vendor oversight, privacy, and cybersecurity programs
- Schedule annual trainings
ACA has developed several checklists to assist advisers with enhancing their programs.
- BCP Activation Checklist
- Surveillance Program Gap Analysis Checklist
- Compliance Officer’s Plan for Recovery in the Next Phase of COVID-19
- Compliance Testing Action Plan
How We Help
An objective assessment of a firm’s own practices can be difficult. ACA can provide an experienced third-party perspective across compliance, cybersecurity and privacy, performance, and regulatory technology.
Our risk and compliance management solutions incorporate consulting, managed services, technology, and education to provide our clients with a holistic approach to addressing risk, increasing operational efficiencies, and meeting regulatory requirements while adhering to industry best practices. ComplianceAlpha®, our regulatory technology platform, is used by over 800 leading financial services firms worldwide to transform their risk and compliance programs through automated surveillance, ongoing monitoring, flexible workflows, and enhanced analytics.
Our experienced compliance team of over 230 consultants and analysts, which includes former SEC examiners, in-house compliance professionals, and former CCOs, works closely with our technology, cybersecurity, privacy, and performance experts to design and deliver solutions that meet our clients’ unique business needs and regulatory requirements.
For More Information
If you have any questions about this Risk Alert or how ACA can help you manage and enhance your compliance program, please reach out to your ACA consultant or contact us below.