Observations on OCIE’s Risk Alert on Investment Adviser Compliance Programs

On November 19, 2020, the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert¹ (the Alert) providing an overview of the OCIE staff’s observations from examinations of SEC-registered investment advisers. The Alert focused on compliance issues related to Rule 206(4)-7 (Compliance Program Rule) under the Investment Advisers Act of 1940 (Advisers Act), one of the most common sources of deficiencies cited by the OCIE staff.² The Compliance Program Rule requires advisers to (i) adopt written policies and procedures, (ii) review those policies and procedures on an annual basis, and (iii) appoint a chief compliance officer (CCO) to administer those policies and procedures.

On the same date as the Alert, OCIE director Peter Driscoll, in his opening remarks at the 10th National Compliance Outreach program, emphasized the essential role of CCOs in designing, adopting, and implementing compliance programs that satisfy the requirements of the Advisers Act.³ Among other things, Driscoll stressed that effective CCOs are appropriately empowered and have the requisite seniority and authority within their firms’ advisory businesses to actually implement, enforce, and compel adherence to their compliance programs. This Sidley Update summarizes the Alert’s observations and offers practical tips to incorporate the OCIE staff’s observations into existing compliance programs to address the requirements of the Advisers Act.

Overview

In the Alert, OCIE addresses six broad categories of notable deficiencies or weaknesses: (1) inadequate compliance resources, (2) insufficient authority of CCOs, (3) annual review deficiencies, (4) failures to implement written policies and procedures, (5) failures to maintain complete and accurate written policies and procedures, and (6) failures to establish or maintain reasonably designed written policies and procedures.

The Alert, together with Driscoll’s Remarks, remind market participants of OCIE’s careful evaluation of each adviser’s adoption and implementation of written policies and procedures that address the adviser’s specific risk profile and conform to the requirements of the Advisers Act and related rules. They also highlight the importance of appointing a CCO who is knowledgeable regarding the Advisers Act and empowered with full responsibility and authority to administer and enforce the adviser’s compliance program. We expect that the Compliance Program Rule and the specific issues highlighted in the Alert will continue to be areas of focus in exam inquiries and enforcement actions.

(1) Inadequate Compliance Resources

The staff observed a number of deficiencies stemming from under-resourced compliance departments, including with respect to information technology, compliance personnel, and training. Examples included the following:

• Some CCOs with multiple roles were found to be inattentive to their compliance responsibilities or too busy with other professional demands to develop and maintain appropriate knowledge of the Advisers Act.
• Insufficient or insufficiently trained compliance staff resulted in deficiencies related to conducting annual reviews, accurate and timely filings, and timely responses to requests from OCIE staff.
• Advisers with compliance infrastructure (staff or information technology) that failed to keep pace with the evolution of their businesses had compliance policies and procedures no longer tailored to the specific compliance risks associated with their advisory businesses.

Practical Tips/Action Items

• Periodically assess the sufficiency of current compliance resources, particularly after a material change in size, complexity, or regulatory burden for the business. 
• If your CCO wears multiple hats, periodically assess whether your advisory business has grown sufficiently large and complex to require a full-time CCO. 
• Empower the CCO to request and allocate compliance resources as needed to address compliance weaknesses, and ensure direct access to senior management for reporting related concerns.⁴

(2) Insufficient Authority of CCOs

The staff cited multiple cases of CCOs with insufficient authority within their advisory firms to effectively develop and enforce appropriate compliance policies and procedures. For instance, the staff observed some CCOs who had insufficient knowledge about their firms’ strategy, transactions, and business operations.

Practical Tips/Action Items

• Assess the CCO’s position within the adviser’s organizational structure to confirm access to all information required to assess the adviser’s compliance program under the requirements of the Advisers Act.
• Confirm that the CCO carries the authority to compel advisory personnel to adhere to an adviser’s compliance program and has a direct line of reporting to, if not a position as part of, senior management.⁵

(3) Annual Review Deficiencies

The staff observed advisers who were unable to demonstrate their performance of annual reviews and advisers who performed and documented annual reviews but failed to identify significant compliance issues that were present within the program. Other advisers were found to have performed only limited compliance reviews that excluded key areas of risk for their advisory businesses, such as applicable policies and procedures concerning cybersecurity, calculation of fees, allocation of expenses, and oversight and review of recommended third-party managers.

Practical Tips/Action Items

• Compliance policies and procedures should be formally reviewed at least annually through a documented process that assesses the adequacy of the adviser’s policies in light of the adviser’s evolving business and the ongoing effectiveness of their implementation. 
• An annual review should include an assessment of the adviser’s primary risks. The review should focus on those key areas of compliance risk, including any issues raised during prior years and any deficiencies noted in mock exams, as well as areas identified in OCIE’s annual list of examination priorities.⁶
• Consider using a formalized checklist tailored to your business to document annual and periodic compliance reviews.

(4) Failure to Implement Written Policies and Procedures

Continuing a common theme of compliance program deficiencies, the staff observed failures by advisers to implement their written policies and procedures, including with respect to personnel training; the review of advertising materials; back-testing fee calculations; policies relating to trade errors, best execution, conflicts, and disclosures; testing business continuity plans; and timely review of client accounts to assess adherence to investment objectives.⁷

(5) Failure to Maintain Complete and Accurate Written Policies and Procedures

As the staff has noted in prior summaries of their observations, some firms continue to adopt compliance policies and procedures that are outdated, inaccurate, or incomplete, including in some cases the use of “off the shelf” policies that contain information unrelated to an adviser’s business.⁸

Practical Tip/Action Item

• Incorporate into every periodic review of the adviser’s policies an assessment to address material changes in an adviser’s business, its key personnel, and relevant laws, rules, and regulations to confirm that policies properly reflect the adviser’s current operations and risks.

(6) Failure to Establish or Maintain Reasonably Designed Written Policies and Procedures

The staff observed some advisers who had no written policies and procedures and, instead, claimed to rely on cursory or informal processes. Other advisers had adopted written policies and procedures that were either not implemented or not appropriately tailored to their advisory businesses — for instance, advisers who relied on the policies and procedures of a broker-dealer affiliate without revising to address the specific activities and nuances of their advisory businesses and attendant risks. With advisers who maintained written policies and procedures, the staff observed a wide range of deficiencies, including in each of the categories identified as essential to an effective compliance program in the Compliance Program Rule’s adopting release⁹ (to the extent relevant to an adviser’s advisory business):

• Portfolio Management¹⁰
• Marketing¹¹
• Trading Practices¹²
• Disclosures¹³
• Advisory Fees and Valuation¹⁴
• Safeguards for Client Privacy¹⁵
• Books and Records Requirements¹⁶
• Safeguarding of Client Assets¹⁷
• Business Continuity Plans¹⁸

Practical Tip/Action Item

• Incorporate reviews of impacts to compliance policies and controls from changes to the advisory business into the adviser’s change control practices as part of an on-going effort to identify and promote implementation of changes and adherence to new or revised policies by all advisory personnel.

¹The Alert is available at https://www.sec.gov/files/Risk%20Alert%20IA%20Compliance%20Programs_0.pdf.

²OCIE, “The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers” (February 7, 2017) (The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers), available here. See also “SEC and FINRA Issue 2020 Examination Priorities for Broker-Dealers and Investment Advisers” (January 17, 2020), available here.

³See Peter Driscoll, Director, OCIE, “The Role of the CCO – Empowered, Senior and With Authority” (November 19, 2020) (Driscoll’s Remarks), available here. A recording of the event will be made available on the SEC’s website.

⁵See id.

⁶See SEC, “2020 Examination Priorities” (January 7, 2020), available here.

⁷See, e.g., OCIE, “Observations from Examinations of Investment Advisers: Compliance, Supervision, and Disclosure of Conflicts of Interest” (July 23, 2019) (OCIE Observations: Compliance, Supervision, and Disclosure of Conflicts of Interest), available here; The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers; and OCIE, “Examinations of Advisers and Funds That Outsource Their Chief Compliance Officers” (November 9, 2015) (Advisers and Funds That Outsource Their Chief Compliance Officers), available here. For additional discussion of OCIE observations regarding Compliance Program Rule-related deficiencies, see “Observations on OCIE’s Risk Alert on Examinations of Investment Advisers: Supervision, Compliance, and Multiple Branch Offices” (November 17, 2020) (OCIE Observations: Supervision, Compliance, and Multiple Branch Offices), available here.

⁸See, e.g., OCIE Observations: Compliance, Supervision, and Disclosure of Conflicts of Interest; The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers; and Advisers and Funds That Outsource Their Chief Compliance Officers.

⁹See SEC, “Final Rule: Compliance Programs of Investment Companies and Investment Advisers,” Advisers Act Release No. 2204 (December 17, 2003) (the Compliance Program Release), available here. We note that in the Alert, the staff combined the categories for “trading practices” and “proprietary trading,” listed separately in the Compliance Program Release, under the single banner of “Trading Practices.”

¹⁰See OCIE Observations: Supervision, Compliance, and Multiple Branch Offices; OCIE, “Investment Adviser Principal and Agency Cross Trading Compliance Issues” (September 4, 2019), available here; and OCIE, “Strengthening Practices for Preventing and Detecting Unauthorized Trading and Similar Activities” (February 27, 2012), available here.

¹¹See, e.g., “SEC Publishes Important Guidance on Common Advertising Rule Compliance Issues” (October 5, 2017), available here, and OCIE, “The Most Frequent Advertising Rule Compliance Issues Identified in OCIE Examinations of Investment Advisers” (September 14, 2017).

¹²See OCIE, “Compliance Issues Related to Best Execution by Investment Advisers” (July 11, 2018) (Risk Alert), available here.

¹³See “Observations from Private Fund Adviser Examinations: Practical Tips and Best Practices” (July 7, 2020) (Observations from Private Fund Adviser Examinations), available here, and OCIE Observations: Compliance, Supervision, and Disclosure of Conflicts of Interest.

¹⁴See Observations from Private Fund Adviser Examinations and OCIE, “Overview of the Most Frequent Advisory Fee and Expense Compliance Issues Identified in Examinations of Investment Advisers” (April 12, 2018), available here.

¹⁵See “Recent Risk Alerts by SEC OCIE Highlight Privacy and Cybersecurity Issues in Examinations” (June 3, 2019).

¹⁶See OCIE, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” available here.

¹⁷See “SEC Publishes Important Guidance on the Custody Rule, Participating Affiliate Arrangements, Robo-Advisers, Form PF and Certain Compliance Topics” (May 8, 2017) and “U.S. Securities and Exchange Commission Issues Two New Frequently Asked Questions About ‘Inadvertent Custody’ ” (June 28, 2018), available here.

¹⁸See, e.g., “Business continuity planning: preparing for pandemics and other significant business disruptions” (June 22, 2020), Westlaw Practitioner Insights Commentaries, available here; “SEC Proposes New Rule for Investment Advisers That Would Require Business Continuity and Transition Plans” (July 7, 2016) available here.