On November 19, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations ("OCIE") issued a new risk alert (the "Alert") providing an overview of “notable compliance issues” observed during examinations of registered investment advisers (collectively, "Advisers"). The Alert details a wide range of Adviser failures to meet the requirements of Rule 206(4)-7 ("Compliance Rule") under the Investment Advisers Act of 1940 ("Advisers Act"). OCIE noted that it has regularly cited Compliance Rule deficiencies in its risk alerts. Advisers should pay careful attention to the issues identified by OCIE since deficiencies in the areas identified by OCIE increase the risk of enforcement actions and can also impact fundraising capabilities as investors increasingly evaluate the effectiveness of an Adviser’s compliance program and culture when considering where to invest. The Alert is available on the SEC’s website.
The Compliance Rule
Under the Compliance Rule, Advisers may not provide investment advice unless they have adopted and implemented written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules. The Compliance Rule also requires that Advisers review their policies and procedures annually, at minimum, to assess their adequacy and the effectiveness of their implementation. Finally, the Compliance Rule requires that Advisers designate a Chief Compliance Officer (CCO) to administer their policies and procedures.
The Compliance Rule does not list specific elements that Advisers must include in their policies and procedures, instead leaving it to Advisers to consider the nature of their operations, their fiduciary duties, and regulatory obligations, and then adopt policies and procedures designed to (i) prevent violations from occurring, (ii) detect violations that have occurred, and (iii) promptly correct any violations that have occurred. Also, Advisers should update policies and procedures based on changes in their business or the Advisers Act and its regulations.
While the Compliance Rule requires only annual reviews, OCIE urges Advisers to consider the need for interim reviews in response to significant compliance events, changes in business arrangements, and regulatory developments. The CCO who administers the firm’s compliance policies and procedures should know the requirements of the Advisers Act and have appropriate authority and support to develop and enforce the firm’s policies and procedures. Finally, the CCO should have sufficient seniority and authority within the firm to compel others to adhere to the compliance policies and procedures.
Against this backdrop, OCIE identified a range of notable deficiencies at Advisers it examined in connection with the Compliance Rule.
Areas of concern identified by OCIE
Inadequate compliance resources: The Alert details several deficiencies in this area, including CCOs who are assigned multiple responsibilities (eg, dual-hatted CFO/CCOs) and do not seem to devote sufficient time to their CCO responsibilities. In addition, OCIE observed that compliance staff did not have sufficient resources to implement an effective compliance program, including effective training. Insufficient resources contributed to annual review failures, untimely and inaccurate Forms ADV, and an inability to respond to OCIE books and records requests. Finally, OCIE noted its concern that Advisers growing either in size or complexity were not hiring additional compliance staff or adding adequate technology to adapt compliance policies and procedures to their changing business.
Insufficient authority of CCOs: OCIE outlined several areas where CCOs lacked sufficient authority to develop and enforce appropriate policies and procedures, including:
- Advisers that restricted CCO access to necessary information;
- Advisers where senior management did not fully inform CCOs of business leadership, strategy, transactions and operations; and
- Situations where senior management and employees did not consult CCOs regarding matters with potential compliance implications.
Annual Review deficiencies: OCIE encountered firms that could not demonstrate they had performed an annual review and firms that performed annual reviews that did not identify significant existing compliance or regulatory issues such as key risks. The Alert indicates that some annual reviews did not include review of significant areas of the business including oversight/review of third-party managers, cybersecurity and the calculation of fees and allocation of expenses.
Inadequate implementation of policies and procedures: Here the Alert highlights failures to:
- Train employees;
- Implement procedures related to trade errors, advertising, best execution, conflicts, disclosure and other requirements;
- Review advertising materials;
- Follow compliance checklists and procedures including those related to backtesting fee calculations and testing of business continuity plans; and
- Review client accounts.
Inadequately designed policies and procedures: Among the deficiencies noted in the Alert were the use by firms of off-the-shelf compliance policies and procedures and reliance on affiliate compliance programs that were not tailored to the Adviser’s business. OCIE gave Advisers who “checked the box” by having inadequately tailored written materials on hand no more credit than it gave Advisers relying on cursory or informal processes instead of developing written policies and procedures. Key areas where OCIE faulted Advisers with a failure to adequately tailor their compliance programs include:
Portfolio management: Deficient policies and procedures related to (a) due diligence and oversight of (i) outside managers, (ii) third-party service providers, (iii) investments, including alternate investments; (b) monitoring compliance with client investment and tax planning restrictions; (c) oversight of branch offices and investment advisory representatives to ensure compliance with policies and procedures (the subject of a separate November 9, 2020, OCIE Risk Alert); (d) compliance with regulatory and client investment restrictions; and (e) adherence to the terms of investment advisory agreements.
Marketing: Policy and procedure deficiencies related to (a) oversight of solicitation (eg, placement agent) agreements; (b) prevention of the use of misleading marketing materials, including on websites; and (c) oversight of the use and accuracy of performance advertising.
Trading practices: Insufficient policies and procedures involving (a) soft dollar allocation; (b) best execution; (c) trade errors; and (d) restricted securities.
Disclosures: Failures related to the accuracy of the firm’s Form ADV and the accuracy of client communications.
Advisory fees and valuation: Deficient fee billing processes (including how fees are calculated, tested and monitored for accuracy); expense reimbursement policies and procedures; and valuation of Advisory client assets.
Client privacy safeguards: Inadequate policies and procedures related to (a) Regulations S-P and S-ID (Regulation S-P was also the subject of an OCIE Risk Alert in April 2019); (b) physical and electronic security of client information; and (c) cybersecurity generally, including (i) access rights and controls, (ii) data loss prevention, (iii) testing and vulnerability scans, (iv) vendor management, (v) employee training and (vi) incident response plans.
Required books and records: Some firm policies and procedures regarding compliance with Advisers Act Rule 204-2 were inadequate.
Safeguarding client assets: Firms did not have sufficient policies and procedures related to custody and safeguarding client assets.
Business continuity plans: Here, OCIE observed that Advisers had failed to test their business continuity plans, or the plans did not contain contact information or identify those responsible for actions required by the business continuity plan. Such failures rendered the plans inadequate.
The Alert encourages Advisers to review their written policies and procedures and to assess their implementation of those policies and procedures to ensure that they are tailored to the Adviser’s business and adequately implemented.
The Alert is a roadmap for potential future enforcement scrutiny and actions. The SEC’s Division of Enforcement has, in the past, brought cases related to all of the issues identified in the Alert. We anticipate more to follow, particularly after OCIE has issued more than one alert on these and related topics.
Equally important, investors are increasingly asking questions related to the adequacy of firm compliance policies and procedures and have even asked to see deficiency letters prior to making an investment decision. Firms that have a history of deficiencies in this area, or that cannot show that they have an effective compliance program and culture of compliance, may face business challenges as investors turn to other firms with more robust compliance functions.
In addition, DLA Piper attorneys have observed SEC examination teams paying closer attention to issues raised by OCIE risk alerts following their publication. To minimize the risk of enforcement sanctions and examination deficiencies, Advisers should take proactive steps to evaluate whether they should modify their current policies, practices and procedures, including:
- Assessing the adequacy of firm compliance policies and procedures related to the topics highlighted in the Alert. We note that the Alert encompasses almost every aspect of an Adviser’s business. Advisers should consider when their compliance policies were last updated and what has changed in their business, and should assess in which areas updates may be most necessary; and
- Evaluating current training provided to employees to determine whether it is up-to-date and addresses key risk areas related to the advisory business, including the areas identified by the Alert.
If you have any questions regarding these issues, please contact the authors, your DLA Piper relationship attorney or a member of the DLA Piper Investment Funds team.
 While the Alert draws on observations from examinations of registered investment advisers, certain of the deficiencies cited are applicable to exempt reporting advisers, including venture capital fund advisers and private fund advisers with less than $150 million in assets under management, and other unregistered advisers, which are not subject to the Compliance Rule. Accordingly, unregistered advisers should ensure that they have policies and procedures reasonably designed to address the topics identified in the alert to the extent applicable.