New Risk Alert outlines common compliance failings

New Risk Alert outlines common compliance failings

The OCIE’s latest Risk Alert makes it clear the SEC expects more from Chief Compliance Officers. The Risk Alert: OCIE Observations: Investment Adviser Compliance Programs describes the most commonly cited compliance rule deficiencies identified by the Office of Compliance Inspections and Examinations.

The alert covers a range of topics from CCO authority to specific deficiencies with advisers’ policies and procedures.

Inadequate compliance resources

The OCIE says advisers are not devoting adequate resources to their compliance programs. CCOs were identified with “numerous other professional responsibilities” who were not appearing to “devote sufficient time to fulfilling their responsibilities as CCO”. The OCIE specifically identified circumstances where the CCO either did not have time to develop their knowledge or fulfil their responsibilities as CCO due to their other responsibilities.

The OCIE further references situations where the compliance function and resources have failed to keep pace with an adviser’s overall growth leading to deficiencies in areas which cited later in the Risk Alert.

Bovill note: This is a particularly important point for middle market private equity mangers and smaller hedge fund managers who typically designate an individual with significant other responsibilities within the firm as CCO.

Insufficient authority of CCOs

During examinations the OCIE observed situations where the CCO lacked sufficient authority within the firm. The OCIE specifically mentions:

  • Advisers restricting CCOs from accessing information central to CCO’s ability to exercise effective oversight
  • Advisers where the CCO had limited interaction with the firm’s senior management leading to the CCO having inadequate information about the firm to fulfil their role as CCO
  • Situations where the CCO was not consulted or involved in matters with potential compliance implications

Bovill note: In our experience CCO authority and access has not been a serious concern. However, as CCO, it is important to be aware of the issue. 

Annual review deficiencies

The OCIE cited lack of evidence of an annual review as a common deficiency. Furthermore, for advisers that were able to evidence an annual review, there were those who failed to identify or review key areas of risk specific to the adviser. Finally, the OCIE found advisers failed to review significant areas of their business.

Bovill note: “It’s not what you know, it’s what you can prove” (Training Day). While not a stated requirement in Rule 206(4)-7, the OCIE has made it clear that you must be able to provide evidence of the annual review. Additionally, generic reviews will be deemed insufficient. A firm’s annual review should be tailored to the firm’s activities and risks. A good guide for tailoring an annual review includes considering SEC Risk Alerts and regulatory developments, the firm’s evolution and investment strategy, and specific areas of risk unique to the firm.

Policies and procedures

The remainder of the Risk Alert focuses on various aspects of advisers’ policies and procedures. To start, the OCIE cites advisers’ failure to implement or perform actions required by the advisers’ policies and procedures. The examples provided by OCIE include failure to:

  • Train employees
  • Implement compliance procedures regarding trade errors, advertising, best execution, conflicts, disclosure and other requirements
  • Review advertising material
  • Follow compliance checklists and other processes, including backtesting fee calculations and testing business continuity plans
  • Review client accounts.

Additionally, the OCIE found that advisers failed to keep their policies and procedures updated and that policies and procedures contained inaccurate information.

Finally, OCIE found that advisers did not have appropriately tailored policies and procedures that were reasonably designed to prevent violations of the Advisers Act. OCIE specifically called out cursory or informal processes instead of maintaining written policies and procedures. Where advisers maintained policies and procedures, OCIE cited deficiencies or weaknesses in the following areas:

  • Portfolio management
  • Marketing
  • Trading practices
  • Disclosures
  • Advisory fees and valuation
  • Safeguards for client privacy
  • Books and records
  • Safeguarding of client assets
  • Business continuity plans.

Bovill note: Many of the areas specifically highlighted by the SEC are themselves the subject of an OCIE Risk Alert so they shouldn’t come as a surprise. Considering and documenting how a firm handles even the smallest detail related to the above is vital to a successful interaction with the SEC. It goes without saying that the existence of outdated policies and procedures is “low hanging fruit” but it is clear the SEC will consider outdated policies and procedures as evidence of more significant deficiencies. It is vital to review and update the firm’s policies and procedures as changes occur.

How Bovill can help

With this Risk Alert the SEC is making it clear it expects more from CCOs. Bovill helps “dual hatted” CCOs by becoming an extension of the firm’s compliance resources. Bovill also undertakes independent reviews of advisers seeking to understand where their risks during either a mock SEC exam or by performing a firm’s required annual review. We also offer short-term seconded resources for specific projects or to assist in the maintenance of a firm’s compliance program.

Want more insights like this?

Join our mailing list