The Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on November 19, 2020 related to the Advisers Act compliance rule, Rule 206(4)-7. Some key takeaways for Chief Compliance Officers (CCOs) are as follows:

CCOs must be nimble and respond to changes in the business.  The rule calls for annual compliance reviews, but when things go wrong, or the adviser’s business arrangements or risk profile changes, CCOs should assess whether an interim review is necessary or advisable, and act accordingly.

CCOs should have authority within their firm and act with authority.  OCIE observes that CCOs should have sufficient knowledge, authority and seniority to compel others to comply. OCIE’s list of deficiencies include the following:

• A CCO that is a “Jack of All Trades,” may be the master of none.  A CCO who has too many roles within the firm, and lacks the time and resources to become an expert in the Advisers Act, and cannot devote sufficient time to overseeing and administering the compliance program, is a CCO that should reconsider the priority of the CCO’s compliance functions.
• Insufficient compliance resources leave a CCO in a vulnerable position.  OCIE observed firms where inadequate resources were provided, which resulted in the CCO being unable to assure adequate staff training, conduct appropriate annual reviews, ensure accurate disclosure in the firm’s Form ADV, and properly maintain of the firm’s books and records.
• A CCO that is not kept abreast of significant developments at the firm is operating “in the dark” to the firm’s detriment.  OCIE observed firms where CCOs were not informed by senior management when compliance breaches arose, or when events were occurring that might significantly impact the firm’s risk profile. CCOs in this position are not sufficiently informed to be fully effective.

Doing what you can, but not fully complying with the requirements of the rule, may not be enough.  OCIE observed deficiencies in the effectiveness of annual compliance reviews, such as compliance reviews that: were not well documented, failed to identify key risk areas (particularly conflicts of interest and asset protection), overlooked key areas for compliance, such as oversight of third party managers, cybersecurity, fee calculations and expense allocations.  CCOs need to ensure that the compliance program is carried out as intended, and not settle for inadequate compliance measures.

If it’s in your manual, OCIE will inspect for it.  OCIE zeroed in on staff training; procedural implementation regarding conflicts of interest; advertising reviews taking place uniformly; following and using your checklists; back testing fee calculations by compliance; testing continuity plans; and reviewing client accounts for compliance with investment objectives on a systematic basis.  CCOs need to ensure that all material risks are identify in the compliance manual, and then ensure that all items in the compliance manual are carried into effect, as intended.

Off the shelf policies are an OCIE red flag.  OCIE is looking for up to date, firm specific, tailored compliance programs.  An off the shelf compliance program that is not properly tailored puts the firm at risk of compliance violations and deficiencies.  A reasonably designed compliance program needs to address the specific risks of the firm.

OCIE’s 27 Hot Topics.  OCIE is looking at the following areas:

1. Due diligence and oversight of outside managers.
2. Monitoring compliance with client investment and tax planning strategies.
3. Oversight of third-party service providers.
4. Due diligence and oversight of investments, including alternative assets.
5. Oversight of branch offices and investment advisory representatives to ensure they are complying with the adviser’s policies and procedures.
6. Compliance with regulatory and client investment restrictions.
7. Adherence with investment advisory agreements.
8. Oversight of solicitation arrangements.
9. Prevention of the use of misleading marketing presentations, including on websites.
10. Oversight of the use and accuracy of performance advertising.
11. Allocation of soft dollars.
12. Best execution.
13. Trade errors.
14. Restricted Securities.
15. Accuracy of disclosure in Form ADV.
16. Accuracy of client communications.
17. Fee billing processes, including how fees are calculated, tested, or monitored for accuracy.
18. Expense reimbursement policies and procedures.
19. Valuation of advisory client assets.
20. Regulation S-P.
21. Regulation S-ID.
22. Physical security of client information.
23. Electronic security of client information, including encryption policies.
24. General cybersecurity, including access rights and controls, data loss prevention, penetration testing and/or vulnerability scans, vendor management, employee training or incident response plans.
25. Custody rule.
26. Maintenance of books and records.
27. Business Continuity Plans.

Conclusion: Compliance is a process, and not an event.  It is a process that can and should adapt with the firm, as the firm grows and changes.  CCOs should also remember that details matter, both to properly manage the firm’s risks, and because OCIE will review the details with care in assessing the adequacy of the firm’s compliance program.

See full alert here.

[View source.]