OCIE Risk Alert: Compliance Empowerment and Execution
The Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert on November 19, 2020, outlining notable issues related to the compliance programs of SEC-registered investment advisers (“advisers”). The weaknesses and deficiencies identified in this Risk Alert underscore OCIE’s expectations about (i) the adoption of a compliance program tailored to each adviser’s business, (ii) the dedication of sufficient resources, and delegation of required authority, to each adviser’s compliance function, and (iii) the thorough implementation and execution of such compliance program.
Tailored Compliance Program
Rule 206(4)-7 (the “Compliance Rule”) under the Investment Advisers Act of 1940 (the “Advisers Act”) requires advisers to adopt and implement compliance programs that are reasonably designed to prevent the adviser and its employees from violating the Advisers Act. The Compliance Rule does not mandate advisers adopt specific enumerated policies and procedures; instead, the SEC and its staff expect that an adviser’s compliance program addresses relevant areas in a manner that is tailored to the specific risks and business practices of the firm.
OCIE identified several areas where advisers commonly failed to establish, implement, or appropriately tailor written policies and procedures, including those addressing portfolio management, marketing, trading practices, disclosures, advisory fees and valuation, privacy, books and records, custody, and business continuity plans. The Risk Alert also cautions that deficiencies often resulted from off-the-shelf policies containing outdated or inaccurate information.
Compliance Resources and Empowerment
“Inadequate compliance resources” is first on the list of notable deficiencies and weaknesses identified by OCIE. The implementation of the firm’s compliance policies and procedures suffers when a firm has insufficient compliance staff or does not devote adequate resources to its compliance staff. This issue can arise when an adviser undergoes significant growth in size or complexity and does not hire additional compliance staff or provide additional resources, such as information technology services. Similarly, OCIE also noted instances where Chief Compliance Officers lacked authority within the adviser’s organization to enforce the compliance policies and effectively oversee the business operations.
The importance of the empowerment, seniority and authority of the Chief Compliance Officer within the adviser’s business was emphasized in a speech by Peter Driscoll, Director of OCIE, which discussed this Risk Alert. As the regulatory scrutiny of advisers grows, OCIE expects the compliance functions within advisers to keep-up and to be a powerful force leading a culture of compliance within the organization.
Implementation and Execution
Implementation and execution of written policies and procedures is paramount to an adviser’s compliance with its regulatory obligations, as well as a source of many deficiencies discussed by OCIE in this Risk Alert. Specifically, OCIE observed instances where advisers did not perform tasks required by their written policies and procedures, including periodic trainings, reviews and compliance testing. This is a reminder that the SEC expects advisers to do everything that their compliance manuals say they will do, and the failure to perform certain tasks could be viewed as a failure to implement compliance policies and procedures as required by the Compliance Rule.
On the topic of annual compliance reviews (as required by the Compliance Rule), there were deficiencies relating to advisers that were unable to demonstrate that they performed an annual review or whose annual reviews failed to identify and review significant risks and aspects of the adviser’s business. Although preparing a written report of the annual review is not a requirement of the Compliance Rule, OCIE regularly requests written documentation of an adviser’s annual review, and advisers face difficulty evidencing to the OCIE staff that they conducted an annual review if they are unable to produce any such documentation. OCIE stated that advisers should consider interim compliance reviews in light of changes to the business or regulatory developments. This echoes OCIE’s August 2020 Risk Alert where OCIE recommended that advisers re-assess compliance policies in light of COVID-19 and the new work-from-home environment.
* * *
Advisers should consider reviewing their compliance program and its implementation in light of this alert to ensure the compliance program is tailored to the adviser’s business and effectively implemented for today’s environment. Part of this review should be confirming that all tasks are being performed as described in the written policies and procedures and, to the extent there are shortcomings, assessing whether additional resources are required.