Many chief compliance officers struggle every year with preparing the annual review required under Advisers Act Rule 206(4)-7. To help you out, here’s our guide to writing your annual report.

First, look at what the rule requires. Under Rule 206(4)-7, federally registered investment advisers must review their policies and procedures annually to determine their adequacy and the effectiveness of their implementation. As discussed in the Final Release for Rule 206(4)-7, advisers should “consider any compliance matters that arose during the previous year, any changes in the business activities of the adviser or its affiliates, and any changes in the Advisers Act or applicable regulations that might suggest a need to revise the policies or procedures.” The SEC amended the rule, requiring that the review be documented in writing. The review should answer these questions:

• Were recommendations from the prior year’s annual review implemented?
• How were compliance matters that arose during the previous year addressed?
• Were the firm’s compliance policies and procedures adequate and followed consistently?
• Are there any operational or compliance risks or weaknesses that must be addressed?
• Does the firm need to update its policies and procedures because of changes in the business activities of the adviser or its affiliates?
• Does the firm need to update its policies and procedures because of changes to the Advisers Act or any applicable regulations?

Here’s a basic outline for the report:

1. Background: Provide a brief description of the firm, including its main lines of business, client base, and assets under management. Form ADV Part 2A usually includes a description in the introduction and a section on the firm’s advisory business, which could be used for this purpose.
2. Overview of the review process: Identify who conducted the review (e.g., CCO, Management Committee, independent compliance consultant), when it was conducted, the period covered, and the For example, the Chief Compliance Officer could oversee the process and require other areas of the firm to provide input, either on an ad hoc basis or through a formal committee. The review process could cover the prior 12 months and include a review of (a) the compliance manual and (b) the results of compliance testing and monitoring over the past 12 months.
3. Identify the Principal Risks addressed through Compliance Policies and In this section, discuss the principal risks specific to your firm and whether your compliance program addresses them.
4. Business, Industry and Regulatory Developments: In this section, discuss changes to your firm and changes made in the compliance program to address them. The section should also address any regulatory changes requiring compliance program updates. If applicable, industry developments affecting your firm’s business should also be addressed. For example, significant cyber breaches may have caused your firm to re-evaluate its cybersecurity policies and procedures or engage an outside consultant to review your
5. Evaluation of the Adequacy and Effectiveness of Compliance Policies and Procedures and Recommendations: This section should summarize compliance testing results and action This could include a spreadsheet with testing results or a written summary. Remember that the Compliance Program Rule requires that the firm review “the adequacy of the policies and procedures established under this section and the effectiveness of their implementation.” Make sure that the written report specifically states whether the firm’s compliance policies and procedures are adequate and effective.

Here are our recommendations on how to conduct the annual review of the compliance program.

Compliance Manual Review

The first step should be a review of the compliance manual. An investment adviser’s compliance program should be designed to identify the firm’s regulatory obligations, mitigate conflicts of interest that could harm clients, and address risks to the firm and its clients. The SEC provided a list of risk areas that the compliance manual should address in the Final Release for the Compliance Program Rule:

• Portfolio management processes, including allocation of investment opportunities among clients and consistency of portfolios with clients’ investment objectives, disclosures by the adviser, and applicable regulatory restrictions;
• Trading practices, including best execution, soft dollar arrangements, and trade allocation;
• Proprietary trading of the adviser and personal trading activities of its employees and access persons;
• The accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements;
• Safeguarding of client assets from conversion or inappropriate use by advisory personnel;
• The accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction;
• Marketing advisory services, including the use of solicitors;
• Processes to value client holdings;
• Procedures to assess fees and expenses charged to clients;
• Safeguards for the privacy protection of client records and information; and
• Business continuity

Make sure your compliance manual covers all these areas, as applicable. I would also include policies and procedures addressing the following areas in the compliance manual:

• Compliance with the Custody Rule, including Standing Letters of Authorization and inadvertent custody (if applicable);
• Required Regulatory Filings and Compliance with other regulatory regimes, if applicable, including:
  • Form ADV Part 1 and Parts 2A, 2B and Form CRS
  • Forms U-4 and U-5
  • Form PF
  • Schedules 13d, 13g, 13f, 13h and Securities Exchange Act of 1934, Section 16 Forms 3, 4, 5
  • Anti-Money Laundering
  • Form D and state blue sky filings
  • ERISA, FINRA rules surrounding “new issues,” CFTC “de minimis” exemption, Treasury filings, and DOL Form LM-10
• Compliance oversight and employee training
• Proxy voting and Form N-PX filing requirements
• Data Security and Cybersecurity (including Massachusetts data security requirements, SEC Regulation S-ID)
• Service provider oversight and due diligence
• Political contributions and compliance with the Pay- to-Play Rule (Advisers Act Rule 206(4)-5)
• Whistleblowing

After determining whether the firm has covered the bases, engage the other areas of the firm to review and sign off on the policies and procedures that cover their operations. The goal should be to determine whether the policies and procedures are adequate and followed consistently. Therefore, the people who are supposed to be following the procedures should answer these questions. For example, portfolio managers should review policies relating to the investment management process. Traders should review policies and procedures regarding trade allocation and aggregation. The IT department should confirm whether the description of the firm’s cybersecurity procedures is accurate.

A full-blown cover-to-cover review is not always necessary; the frequency of the review depends on many factors, such as new regulations, added lines of business, use of new technology, operational changes, and changes in organizational structure. For example, a comprehensive review should occur after a merger with another firm. The compliance manual review for the next year could be limited to any changes made since the last review.

If the manual has gaps or the policies and procedures are inaccurate, discuss them in the written report of the annual review and include recommendations to fix the issues. The SEC recognizes that compliance programs are iterative and expects to see changes.

Business and Regulatory Developments

The next step should be a consideration of any business developments and the effects on the compliance program. Has the firm entered into any new lines of business; opened new offices; changed its investment strategies or practices; experienced organizational changes, such as new ownership, new subsidiaries or affiliates, or loss of significant personnel; transitioned to a new portfolio management system (or similar firm-wide technology change); or changed key service providers? Any of these developments can expose the firm to new risks and require changes to address them. For example, if the firm recently adopted the Global Investment Performance Standards (GIPS), the report on the annual review should discuss the new policies and procedures adopted to ensure compliance.

The report should also include changes to the compliance team and its processes. For example, if your firm appointed a new chief compliance officer, this should be discussed in the annual review along with a summary of the new CCO’s credentials. The same should be done when the firm adopts new compliance software, such as a personal securities transaction reporting system or email retention and review system. Describe the service, its use, and the due diligence performed to select the new service provider.

The annual compliance review should also address any key regulatory or industry developments that have affected your firm over the past 12 months. For example, in 2023, the SEC adopted three private fund rules that become effective in 2024 for advisers with $1.5 billion or more in private fund assets under management: the Restricted Activities Rule (Advisers Act Rule 211(h)(2)(1)), The Preferential Treatment Rule (Advisers Act Rule 211(h)(2)-3), and the Adviser-Led Secondaries Rule (Advisers Act Rule 211(h)(2)). There are also changes under the Advisers Act Books and Records Rule (Advisers Act Rule 204-2) that affect investment advisers, including a requirement to keep a record of “confirmations they receive and of allocations and affirmations they send or receive” under the new T+1 rules under the Securities Exchange Act. There are other changes that need to be addressed, including new “Say-on-Pay” disclosures on Form N-PX that apply to all institutional asset managers and changes to filing deadlines for firms that file Schedule 13D and 13G under the Securities Exchange Act. Check out our blog post for a summary of key regulatory developments.

Review Testing Results

The next step is a review of the compliance testing and monitoring performed throughout the year. This review should help the CCO determine whether the compliance policies and procedures are being followed and whether they are effective. The report could include a summary of tests performed along with findings and significant exceptions (e.g., in a spreadsheet) as an attachment to the written report.

The report should also address the prior year’s review recommendations. Discuss the progress made, including changes to policies and procedures. If no progress has been made, explain why not and provide any plans to remedy the situation.

The SEC will ask for this report during an examination, so choose your words carefully. This means reporting your results accurately and not making promises you cannot keep. If one test revealed some minor issues resolved, do not report “no issues.” It’s more accurate to state “no material issues.” For thornier issues where it’s unclear when the firm will resolve, be careful about setting a specific deadline; the SEC will hold you to it. Instead, it may be more productive to state that the firm will explore its options and provide periodic reports to management on its progress.

Recommendations for Improvements

The written report of the annual review should include recommendations for improvement to the compliance program. As the SEC and the Department of Justice noted, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements.” Just because your program needs improvement does not mean it’s ineffective.

It is important that the report accurately discusses the findings of the annual review. Some firms fear providing the SEC with a roadmap to their compliance failings. A successful compliance program, however, should be finding issues and resolving them. If there are no issues, then your compliance program may not be detecting problems. Material issues indicating that the firm may have violated securities laws should be discussed. Do not engage outside counsel to write the report to shield it from the SEC through a claim of legal privilege. First, it is unlikely that a claim of privilege would be successful under those circumstances, and second, the SEC can shut down your firm for failure to cooperate. Be honest. The SEC has shown much greater leniency to firms that admit their flaws and are working to correct them than firms that try to hide their issues.

The written report can also be used as leverage by the Chief Compliance Officer to request additional resources. As firms grow staff and assets under management, the compliance burden also increases. Regulatory burdens have also increased over the years, and compliance officers must monitor for more risks. The SEC also expects more from the compliance function, as evidenced by OCIE’s risk alerts. By sharing examination findings and best practices, OCIE will now expect more from firms’ compliance programs and officers.

Asking for additional resources in the annual review can be risky. A CCO may be reluctant to cast their firm in a negative light. But when persistent, serious issues need to be addressed, requesting help in writing can shield the CCO from personal liability. When the SEC goes after firms for inadequate compliance programs, CCOs who have asked for help are much less likely to be fined or censured.

Conclusion

Finally, the written report should conclude whether the firm’s compliance policies and procedures are adequate and effective. Remember, the program does not have to be perfect; it just has to be “reasonably designed to prevent violation of the Advisers Act by the adviser or any of its supervised persons.” (Rule 206(4)-7(a)) Look at your program as a whole to determine whether it is adequate and effective. If the program generally meets the goals of preventing violations of the securities laws, detecting violations that have occurred, and promptly correcting any violations, then you should be able to come to that conclusion.

Photo Credits: Photo by Michael Heuser on Unsplash.