A s a result of the Dodd-Frank Wall Street Reform and Consumer Protection Act (”Dodd-Frank”),1 many investment advisers – including hedge fund and private equity fund advisers previously exempt from registration – soon will be required to register with the Securities and Exchange Commission (“SEC”).2 Since the enactment of Dodd-Frank last summer, firms have been preparing for registration and considering how operating as a registered entity may impact their conduct of business. Senior managers, firm principals and newly-designated chief compliance officers (“CCOs”) have been contemplating their roles and responsibilities. Chief among all these considerations is the development of a compliance program that meets the SEC’s requirements and is tailored to address the issues and risks particular to the adviser.
As the registration deadline approaches, advisory firms – focused on the need to get policies in place – may be tempted to rush to produce a compliance manual and a Form ADV, and then consider themselves “compliant.” But it is critical for registering advisers to understand that adopting a set of compliance policies and procedures is just the beginning. Implementation of what is set out in the manual – on an ongoing basis, as part of day-to-day business – requires significant lead time and resources. Keeping pace with changes in the laws and rules, and in the firm’s business, is equally critical, as is periodic training on the firm’s compliance systems, and revising the manual as the need arises. As we will discuss below, a robust compliance program serves to protect the firm and its owners, senior personnel and CCO, while compliance deficiencies can expose all such parties to significant liability.
We begin with an overview of the basis for the investment adviser’s responsibility to develop a robust compliance program, and then identify five rules for registering advisers to follow as they embark on the road to SEC registration.
THE IMPORTANCE OF A STRONG COMPLIANCE PROGRAM
Among other things, registration requires an adviser to adhere to the requirements of Rule 206(4)-7 under the Investment Advisers Act of 1940 (“Advisers Act”), also known as the “Compliance Rule.” That rule mandates that a registered adviser: (1) adopt written compliance policies and procedures reasonably designed to prevent violations of the securities laws, rules and regulations by the adviser and its supervised persons,3 (2) perform a review, at least annually, of the adequacy of such policies and procedures and the effectiveness of their implementation and (3) designate a CCO responsible for administering the compliance program.
The Compliance Rule is directed at ensuring that advisers have strong compliance programs to prevent violations of the securities laws and protect advisers’ clients and investors. The SEC made clear when it adopted the Compliance Rule that “[f]ailure of an adviser or fund to have adequate compliance policies and procedures in place will constitute a violation of [SEC] rules independent of any other securities law violation.”4 Inadequate policies and procedures also may contribute to the violation of other substantive provisions of the Advisers Act, because a firm either fails to detect wrongdoing or fails to address certain compliance risks altogether.
FIVE RULES FOR REGISTERING INVESTMENT ADVISERS
Policies and Procedures Should Be Tailored to the Firm’s Particular Business
Registering advisers with off-the-shelf manuals are looking for trouble. Template policies and procedures have their place but should not serve as the final product. The CCO, together with the adviser’s senior personnel, is charged with tailoring the policies and procedures to the particular business of the firm in order to address conflicts and risks that are relevant to the firm’s operations. Simply put, procedures that work well for a long-short hedge fund adviser may be wholly inadequate for a private equity fund adviser because of the different risks associated with each business.
Accordingly, even well-crafted, bespoke procedures in place at one’s prior firm are not the answer at one’s new firm. The SEC will give little credit to an adviser with a polished compliance manual on its shelf, if the policies and procedures in that manual do not address the real risks inherent in the adviser’s business.
The recently-settled SEC enforcement action against Wunderlich Securities, Inc. (“Wunderlich” or “Firm”), a registered adviser,5 illustrates the point. The SEC alleged, among other things, that Wunderlich adopted an “off-the-shelf” compliance manual and did not tailor the manual to the Firm’s business or conduct an annual review of its compliance program. In addition, Wunderlich allegedly failed to adopt or implement procedures to ensure compliance with the Advisers Act’s directives governing principal transactions,6 even though the firm regularly engaged in such transactions. The SEC’s complaint charged the Firm, its Chief Executive Officer and its CCO with violations of the Compliance Rule on the ground that each bore responsibility for failing to adopt and implement a written compliance program tailored to the Firm’s business.
The Compliance Manual Should Be Viewed as a Dynamic Document
Once tailored to address the risks of current business, an adviser’s compliance manual is not “final.” The annual compliance review mandated by the Compliance Rule provides the adviser the scheduled opportunity to evaluate its compliance program as part of its ongoing business operations. Every registered adviser should establish a process for ensuring that all aspects of its compliance program are reviewed and updated in the course of the annual review. Changes in investment strategy or market conditions, growth or business expansion and unforeseen events may mandate enhancements to an adviser’s policies and procedures.
The annual review is a critical, mandated component of the compliance program, but it is not only as a result of the annual review that compliance policies should be updated. A particular compliance failure or periodic testing may show that certain procedures are inadequate and should be revised. The CCO is responsible for evaluating and updating the adviser’s compliance policies and procedures on an ongoing basis as he or she becomes aware of issues or red flags.
As one example, issues identified in a deficiency letter furnished after an SEC examination must be considered internally and policies and procedures may need to be updated in response. The SEC recently settled an enforcement action against registered adviser Aletheia Research and Management, Inc. (“Aletheia”),7 alleging the adviser’s failure to remedy certain deficiencies identified in connection with the SEC’s 2005 and 2008 examinations of the firm. According to the SEC, Aletheia’s CCO was personally aware of the deficiency letters but did not address what were readily remediable deficiencies.
Likewise, recommendations of compliance consultants should be considered and addressed through revisions to firm policies and procedures, if these are appropriate, where such recommendations are solicited. An adviser is acting at its peril if it receives a consultant’s report, files it, but does not document follow-up. That documentation may reflect implementation of changes to the adviser’s policies and procedures, or disagreement with the recommendations and a discussion of the firm’s compliance analysis on the particular issues raised by the consultant. Whether a firm follows a consultant’s recommendation, or disagrees with it and documents why, the important point is that the firm needs to be in a position to show that it considered the matters raised and that its CCO satisfied his or her ongoing duty to follow up on potential compliance deficiencies. Notably, the Wunderlich settlement included additional allegations that the adviser had failed to address discrete recommendations of an outside consultant the firm had engaged to review its compliance program.
In addition to responding to potential issues and red flags, the CCO should actively monitor SEC guidance, cases and enforcement actions and ask the following key questions: Does my firm’s business involve the practices at issue? What kind of controls do we have in place? Should our policies and procedures be revisited in light of the latest guidance?
Implementation Should Be Considered a Key Component of the Compliance Program
As we note above, developing thoughtful, well-tailored policies and procedures is a good beginning, but registering advisers should understand that it is just that – the beginning. Putting in place adequate systems to implement those policies and procedures, testing their effectiveness, training personnel on the policies and procedures, as well as any modifications to them, are critical elements of a registered adviser’s compliance program. Some aspects of implementation that warrant early consideration are: Will manual certifications and requests for approvals be a reliable means of compliance, or does the firm need to adopt an electronic compliance solution? Who are the particular personnel responsible for maintaining particular records and where will they be kept so that they may be produced promptly upon SEC request? Is it sensible to form committees (e.g., best execution committee, valuation committee) to ensure participation by the right personnel in relevant decisions and oversight? How will the firm ensure that it captures all electronic communications?
Moreover, not following what is “on the books” carries its own risks: failing to follow one’s own written policies and procedures also may give rise to SEC action. The SEC, in its action against Aletheia, alleged that the firm’s policies and procedures required the CCO to review responses to client requests for proposals, but that the CCO did not comply with that requirement – and the result was responses that failed to include necessary disclosures. In other words, Aletheia and its CCO allegedly failed to implement the firm’s own written policies and procedures.
The CCO Should Have Sufficient Knowledge and Authority
A registering adviser’s CCO is expected to take on the responsibility, and have the authority, to develop, implement and enforce the firm’s compliance policies and procedures. The CCO should be sufficiently knowledgeable about the Advisers Act to carry out that responsibility, and should hold a position of authority within the firm such that he or she is able to guide the firm to an appropriate level of compliance.
At a minimum, an adviser’s CCO should have a good foundation of knowledge, the ability to learn and a demonstrated commitment to growing his or her knowledge as the firm grows. As related by the SEC, the Wunderlich firm’s CCO, who had financial industry and broker-dealer compliance experience, engaged a compliance consultant for advice when the firm significantly expanded its advisory business. He acted responsibly in seeking outside help but, according to the SEC, he did not leverage that engagement and the consultant’s recommendations to benefit his firm. The counsel of good advisers, including auditors and outside counsel, as appropriate, is a key tool for the CCO of a registering adviser.
The Adviser’s Personnel Should Be Encouraged to Internalize the Importance of Compliance
In addition to developing, implementing and enforcing the adviser’s compliance policies and procedures, the CCO also is responsible for ensuring that all personnel receive sufficient training and education to understand and meet applicable requirements of the adviser’s compliance policies and procedures. The CCO is not, however, the guarantor of a firm’s Advisers Act compliance. Nor is he or she responsible for supervising the adviser’s personnel in the performance of their duties to ensure that they comply with the firm’s policies and procedures.8 That supervisory function remains with senior business personnel and the heads of the firm’s various business functions9 and, indeed, compliance must be the responsibility of all personnel. It is critically important, therefore, that senior management themselves internalize the importance of the firm’s compliance program and communicate their views through words and conduct so that all personnel internalize the importance of compliance as well. The objective is the shared understanding that compliance matters.
Investment advisers entering the realm of SEC registration are investing wisely when they commit the time and resources to develop a robust compliance program. Tailored, workable policies and procedures that are properly implemented and trained upon serve to protect the firm and its clients, owners, senior personnel and CCO, as does ongoing review of the adequacy of policies and procedures, so that potential issues are identified and risks relevant to the business are addressed as appropriate.
In the SEC enforcement actions against advisers that we discuss above, the firms and their CEOs and CCOs were censured and assessed substantial civil penalties, and the firms agreed to retain and pay for independent consultants to review their compliance programs, subject to the requirement that the firms follow the consultants’ recommendations and report to the SEC regarding their implementation. The firms also agreed to notify advisory clients of the substance of the settlement orders and to post a copy of the orders on their websites. As these settlements demonstrate, compliance deficiencies can lead to significant liability, significant compliance costs and significant intervention in a firm’s business (e.g., compliance monitoring and SEC reporting). They can also damage a firm’s reputation, even absent intentional wrongdoing.