In November 2020, the staff of the SEC’s Division of Examinations (f.k.a. OCIE) (the “Examinations Division” and its staff, “Examinations Staff”) issued two risk alerts (the “Alerts”) that, in our view, offer particularly helpful information that is important reading for anyone who is responsible for regulatory compliance of a federally-registered investment adviser. The Alerts provide helpful guidance regarding the creation and implementation of written policies and procedures; as well as the support and maintenance of a successful compliance program.

We recently published a legal alert, available here, summarizing key points from the first Alert (the “Multi-Branch Alert”), which relays Examination Staff’s observations from their 2016-2018 examinations of federally-registered investment advisers with at least one office or place of business other than the adviser’s principal “home” office.¹ This legal alert focuses on the second Alert (the “Compliance Programs Alert”), which identifies frequent deficiencies relative to the Compliance Rule and, in particular, provides the following to adviser compliance personnel:

1. Insights into the types of CCO arrangements that raise red flags for Examination Staff;
2. Examples of the substantive areas that most frequently reveal inadequate compliance programs; and
3. Practical steps advisers can take now to be ready for their next cyclical exam and/or use in defending themselves in an Enforcement Division investigation.²

In many ways, the Compliance Programs Alert echoes the Multi-Branch Alert, and many of its observations were reiterated in a speech made the same day as its release by the director of the Examinations Division, Peter Driscoll (the “Driscoll Speech”).³ Key points from the Compliance Programs Alert and the Driscoll Speech are summarized below.

A. Overview of Compliance Rule Obligations

• Prevent and Detect. As in the Multi-Branch Alert, Examinations Staff emphasized that compliant policies and procedures are designed to: (i) prevent violations form occurring, and (ii) detect and correct promptly any violations that have occurred. Policies should be specific to the adviser’s unique business operations, reviewed at least annually, and regularly enhanced.⁴
• Procedural reviews. Advisers’ annual reviews of their compliance programs should include a substantive review of: (i) any compliance matters that arose in the previous year, (ii) any changes in the business activities of the adviser or its affiliates, and (iii) any changes in the Advisers Act or applicable regulations that might necessitate revisions to the adviser’s policies and procedures. Targeted reviews may also be conducted on an “as needed” basis in response to significant events. Annual and other reviews should be well documented.⁵

**KTS Practical Tip: Mark outdated versions of policies and procedures as superseded, and include the effective date and a version number reference on the cover of the in-use policies and procedures. Circulate each new version to all employees, highlighting what has been changed and why, and request a read-receipt or affirmative response to the distribution. Follow-up with those who fail to comply promptly.

**KTS Practical Tip: Keep in mind the difference between a policy (i.e., a framework or guide for overall goals and operations), a process (i.e., descriptions of the flow of an activity), and a procedure (i.e., step-by-step, detailed instructions for repeatable actions to achieve a specified outcome). Policies, processes, and procedures should be written down and, collectively, set forth the “who, what, why, when, and how” that a registrant meets all of its obligations under the Advisers Act (and all other applicable rules and regulations).

• The Compliance Rule requires that an adviser designate a chief compliance officer (a “CCO”) to administer its policies and procedures. Staff makes clear in the Compliance Programs Alert that the CCO – at the time he or she is appointed - must be competent and knowledgeable regarding the Advisers Act.

**KTS Practical Tip: CCOs who are sufficiently familiar with the applicable rules to identify an issue or area of concern can then affirmatively seek more detailed guidance or direction from the adviser’s compliance consultants or regulatory compliance counsel.

• The CCO must be able and empowered to develop and enforce the adviser’s compliance program.⁶ In the Driscoll Speech, Director Driscoll heavily emphasized that advisers must fully support their CCOs by, among other things:
  • Giving the CCO a meaningful seat at the table;
  • Involving him or her in key business planning and strategy discussions;
  • Creating a culture of compliance through consistent, holistic inclusion and involvement by the CCO in all aspects of the adviser’s business; and
  • Ensuring the CCO directly reports to and/or is a prominent part of the adviser’s senior management team.⁷

B. Compliance Rule Deficiencies and Weaknesses

The Compliance Programs Alert identified key deficiencies noted by Staff in recent examinations,⁸ many of which were also emphasized in the Driscoll Speech, including the following:

• Inadequate compliance resources, particularly at small firms and firms that have grown significantly in a short period of time. Specifically, Examinations Staff noted the following:
  • Advisers devoted inadequate resources to compliance, including by underfunding information technology (both persons and systems), compliance staff, and training.
  • CCOs held too many professional responsibilities, either within the adviser or at other firms (e.g., an outsourced or part-time CCO), and as a result had insufficient time to develop a fulsome (or even an adequate) understanding of the Advisers Act and fulfill their responsibilities under the Compliance Rule.
  • Compliance staff did not have sufficient resources to implement an effective compliance program.
    • Advisers lacked adequate training programs, rendering advisers unable to implement their compliance programs.
      • Deficiencies related to failures to implement compliance programs are key focus areas of both the Examinations Division and the SEC’s Division of Enforcement (the “Enforcement Division”). For example, in May 2020, the Enforcement Division assessed a $1 million penalty from an adviser that had good policies and procedures but failed to properly implement them.⁹
    • Advisers lacked sufficient staff to perform required annual reviews, accurately complete and file Form ADV amendments and other disclosure documents, or timely respond to regulatory requests for required books and records.¹⁰
• CCOs were given inadequate access and control.
  • CCOs were restricted from accessing critical information, including trading exception reports and investment advisory agreements with key clients.
  • Limited interaction between senior management and CCOs inhibited CCOs’ abilities to issue-spot because they lacked knowledge about firm leadership, strategy, transactions, and business operations.
  • Senior management and employees failed to consult CCOs regarding matters that had potential regulatory compliance implications.
  • Advisers replaced CCOs who challenged questionable activities or behaviors.¹¹

**KTS Practical Tip: Turnover in the CCO position is a frequently cited criteria used by the Examination Division when identifying advisers for cyclical exams.

• Management used CCOs as scapegoats for the adviser’s compliance deficiencies, despite failing to involve CCOs in key business discussions, providing CCOs and compliance personnel with inadequate resources, or otherwise failing to support and empower the compliance function.¹²

**KTS Practical Tip: The ability to evidence a well-designed, fully implemented and tested compliance program is the best defense in an Enforcement Division inquiry. Conversely, in extreme situations, the Enforcement Division may deem a compliance program so deficient that it imputes the adviser with reckless conduct (and thus more severe charges and penalties) under the Advisers Act.

• Annual review deficiencies.
  • Advisers were unable to prove they had performed annual reviews.
  • Annual reviews failed to identify significant existing compliance or regulatory problems, thereby indicating that the review was poorly designed and/or ineffectively executed.
  • Advisers failed to identify or review key risk areas in conducting their reviews (e.g., conflicts and protection of client assets) or significant areas of their business (e.g., policies and procedures surrounding oversight and review of recommended third-party managers, cybersecurity, and the calculation of fees and allocation of expenses). ¹³

**KTS Practical Tip: A well-designed recordkeeping program retains both records specifically enumerated under Rule 204-2 and records evidencing that the adviser has complied with other regulatory obligations. Otherwise, an adviser risks Examinations or Enforcement Staff taking the position that if the registrant cannot evidence that something happened (e.g., the annual review), then it did not happen.

• Taking actions required by the written policies and procedures.
  • Advisers did not implement or perform actions required by their policies and procedures. For example, Examinations Staff noted that advisers had failed to:
    • Train employees;
    • Review advertising materials;
    • Follow compliance checklists or other processes (e.g., back-testing fee calculations and testing business continuity plans through table-top exercises or the like); and
    • Review client accounts (e.g., to assess consistency of portfolios with clients’ investment objectives) on a periodic basis or other timeline set forth in the adviser’s procedures.¹⁴

**KTS Practical Tip: Sometimes policies and procedures should be specific, whereas other times a more general, flexible approach may work better. Ultimately, policies and procedures must be feasible in practice. There is little value in designing overly rigorous procedures that the adviser is unequipped to effectuate.

• Advisers’ policies and procedures contained outdated or inaccurate information about the adviser, including off-the-shelf policies that contained unrelated or incomplete information.
• Advisers claimed to rely on cursory or informal practices rather than maintaining written policies and procedures.
• Advisers used an affiliated entity’s policies and procedures, such as those of an affiliated broker-dealer, which by definition were not tailored to the adviser’s business.
• Written policies and procedures were not sufficiently tailored to the adviser’s business with respect to:
  • Portfolio management (e.g., due diligence and oversight of outside management, oversight of third-party service providers, and oversight of branch offices and supervised persons);
  • Marketing (e.g., oversight of solicitation arrangements and the use and accuracy of performance advertising);
  • Trading practices (e.g., allocation of soft dollars, best execution, trade errors, and restricted securities);
  • Disclosures (e.g., accuracy of Form ADV and client communications);
  • Advisory fees and valuation (e.g., fee billing processes, expense reimbursement policies and procedures, and valuation of client assets);
  • Safeguards for client privacy (e.g., Regulation S-P, Regulation S-ID, physical and electric security of client information, and general cybersecurity concerns);
  • Required books and records in accordance with Rule 204-2 under the Advisers Act;
  • Custody and safeguarding of client assets; and
  • Business continuity plans (e.g., testing business continuity plans and providing contact information and designating responsibility for business continuity plan actions).¹⁵

***

The enhanced scrutiny on advisers, their compliance programs, and disclosure regimes has grown in recent years and promises to continue to grow. In 2020 alone (during a global pandemic), the Examination Division examined 15 percent of all registered advisers.¹⁶

Thus, advisers should review their own compliance programs and their current treatment of CCOs and compliance staff, and analyze whether:

• Compliance programs and written policies and procedures are thoughtfully designed and tailored to the specific needs of their current business;
• Written policies and procedures are actually implemented and enforced, are functioning as intended, and are updated to reflect changes in the business or applicable regulations, and other best practices enhancements;
• CCOs are actively involved in key business decisions and planning and strategy discussions, and company management is attuned to and supportive of the needs and input of CCOs and compliance staff; and
• CCOs and compliance staff have sufficient resources (e.g., adequate staff, training, and technology) to implement and enforce policies and procedures.
  • An adviser will likely fail in any attempt to gain sympathy from the Commission or mitigate adverse outcomes for clients or markets by pointing to its lack of compliance staff and/or resources. Instead, an unsupported compliance regime may form the basis of standalone or pile-on sanctions.

Footnotes