OCIE Risk Alert Highlights Compliance Rule Deficiencies Observed During Recent Adviser Exams
On November 19, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert summarizing common deficiencies related to registered investment adviser compliance programs identified by OCIE staff during recent adviser exams. Rule 206(4)-7 of the Advisers Act—the Compliance Rule—requires registered investment advisers to adopt written policies and procedures designed to prevent violations of the Advisers Act, review the adequacy and effectiveness of such policies and procedures no less frequently than annually and appoint a chief compliance officer (CCO) empowered to administer the compliance program.
OCIE identified the following categories of Compliance Rule deficiencies and weaknesses:
Inadequate Compliance Resources. Failure to devote adequate resources, such as information technology, staff and training, to compliance programs, including, for example, by (1) allowing or directing CCOs to assume various other professional responsibilities, leaving CCOs with insufficient time to devote to their compliance oversight responsibilities and/or to develop their knowledge of the Advisers Act; and (2) not hiring additional compliance staff or enhancing information technology capabilities despite having experienced significant growth in the firm’s size or complexity, leading to compliance program implementation failures;
Insufficient Authority of CCOs. Failure to empower CCOs to develop and enforce compliance programs, including, for example, by (1) restricting CCOs’ access to critical compliance information, such as trading exception reports and advisory agreements with key clients; (2) not consulting CCOs regarding matters that had potential compliance implications; and (3) not prioritizing senior management engagement with CCOs, leading to CCOs having limited knowledge about the firm’s leadership, strategy, transactions, and business operations;
Annual Review Deficiencies. Inability to demonstrate that an annual review was performed or annual reviews that failed to identify significant existing compliance or regulatory problems, including, for example, by (1) failing to identify or review key risk areas applicable to the adviser, such as conflicts and protection of client assets; and (2) failing to review significant areas of the adviser’s business, such as policies and procedures concerning cybersecurity and the calculation of fees and allocation of expenses;
No Implementation of Compliance Program. Failure to implement or perform actions required by written policies and procedures, including, for example, by failing to (1) train employees; (2) implement compliance procedures regarding trade errors, advertising, best execution, conflicts, disclosure and other requirements; (3) review advertising materials; (4) follow compliance checklists and other processes, including backtesting fee calculations and testing business continuity plans; and (5) review client accounts, e.g., to assess consistency of portfolios with clients’ investment objectives, on a periodic basis or on a schedule required in the adviser’s policies;
Inaccurate and Incomplete Information in Policies and Procedures. Inclusion of outdated or inaccurate information about the adviser in policies and procedures, including through the use of off-the-shelf policies;
Insufficient Policies and Procedures. Failure to maintain, establish or implement appropriately tailored written policies and procedures reasonably designed to prevent violations of the Advisers Act, including, for example, by (1) claiming to rely on cursory or informal processes instead of maintaining written policies and procedures; and (2) using policies of an affiliated entity, such as a broker-dealer, that were not tailored to the adviser’s business.
OCIE encourages advisers to review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are tailored to the advisers’ business and adequately reviewed and implemented.
The Risk Alert is available here.