SEC insight: aligning documenting with doing

road crossing people group walking motion city street road black and white crowd busy

The SEC’s outreach event last month not only delved into priorities for the year, it also gave valuable insight into how the commission thinks. And the common theme in every discussion was the need to make sure policies and procedures align with how an organization realistically functions. Recent enforcement cases suggest that this is harder than is sounds. Here, we look at three ways to avoid the common pitfalls.

The SEC’s October Outreach Event, hosted in its Denver Office, focused on the SEC’s 2024 priorities, including commentary on specific new rules and regulations, and an in-depth review of what firms can expect when they are examined. For most compliance professionals, the concept of “say what you do and do what you say” is already embedded in their day-to-day activity. Why would you document a process one way, and then enact that process differently?

Despite sounding like something easy to avoid, there have been countless enforcements from the SEC that tie to organizations enacting a practice that conflicts with their documentation for the practice. The plethora of electronic communications violations that we’ve seen over the past few years have never actually alleged any wrongdoing or harm to clients from the unapproved communications. Rather, they typically stemmed from an organization not having platforms like WhatsApp set up as an approved business communication, despite employees using it regularly. Although there’s no guidance from the SEC saying you can’t use WhatsApp to engage in business communications, it’s important to include proper steps covering oversight and supervision into your process.

Another example is the SEC’s enforcement against Goldman Sachs relating to their ESG practices. Although there was nothing in the enforcement that suggested the products Goldman was using weren’t ESG products, the firm were not following the specific process detailed for evaluating ESG investments that was in place. Had Goldman aligned their policy to their actual practices, there likely would not have been any enforcement against them.

So how do organizations find themselves in these situations, and what can you do to make sure you don’t make the same mistakes?

Take your document reviews seriously

Many organizations are not taking the annual review of their policies and procedures as seriously as they need to be. It’s natural to skim over long, drawn-out documents, particularly when you’ve been reviewing the same manual for years. But not taking a proactive approach to updating your manual each year can mean that, next thing you know, it’s 2023 and your communications policy doesn’t address the use of smart phones. The SEC communicates the specific parts of the regulatory landscape they will be emphasizing in exams each year to make sure firms pick these up in their reviews. At a minimum, you should be prioritizing those topics to make sure those parts of your business are ready to be examined. Additionally, when updating items in the manual, ensure any corresponding documents that speak to those policies (ADV, desktop procedures, etc.) are updated as well. Often organizations have conflicting language in different places for the same process, which immediately stands out to any examiner.

Get closer to the people following the policies

Compliance professionals often are not appropriately involved with the separate departments that actually do the work. As a result, they create a policy that the people it really matters to are unhappy with. Many organizations have compliance departments that are completely siloed from the rest of the business, usually due to a perception of it being a roadblock. A strong compliance team will work directly with the functional business leaders, taking the time to truly understand how the business is functioning before developing a policy. For better or worse, the SEC typically does not tell advisor’s exactly how they should accomplish a specific rule, so there’s often wiggle room to create a policy that will satisfy both the people doing the work and the SEC examiner reviewing it.

Test, test, test

During reviews, we’ve noticed that compliance teams are not doing sufficient testing of their firm’s policies and procedures. This point is crucial, as it’s a key way to confirm if a policy is being followed. A comprehensive testing program will clearly identify when a policy isn’t being followed by the corresponding business units. Going back to Goldman, had someone on their compliance team requested to review a sample of the questionnaires it said it was completing for each company it reviewed, it would have been immediately obvious the policy wasn’t being followed when none could be produced. The issue could then have been corrected before the SEC came in.

The conversations at the October Outreach Event were a good reminder of this vital theme that comes up in any compliance program and is often not taken as seriously as it should. This concept of “say what you do and do what you say” is not going anywhere, and it’s a very easy way for the SEC to find deficiencies in your program. You can have the best policy in the world on paper, but when you aren’t actually following it, it doesn’t mean anything. Even if there is no obvious harm to clients in the failure to follow a policy, the SEC can still issue a deficiency and potentially move to enforcement for simply not doing what you say you are going to.