The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert that provides an overview of notable compliance issues identified by OCIE related to Rule 206(4)-7 (the Rule) under the Investment Advisers Act of 1940 (the Advisers Act).[1]

Under the Rule, an investment adviser registered with the SEC must implement written policies and procedures reasonably designed to prevent violation of the Advisers Act by the adviser and its supervised persons.[2] The Rule also requires an adviser to review its policies and procedures at least annually to determine their adequacy and the effectiveness of their implementation and to consider any compliance matters that arose during the previous year, any changes in the business activities of the adviser and any changes in the Advisers Act or applicable regulations that require revisions to policies and procedures. Finally, the Rule requires an adviser to designate a chief compliance officer (CCO) to administer its compliance policies and procedures.[3]

Below are examples of notable deficiencies or weaknesses identified by OCIE staff in connection with the Rule:

Inadequate Compliance Resources – OCIE staff observed advisers that did not devote adequate resources, such as information technology, staff and training, to their compliance programs. For example:

  • CCOs who had numerous other professional responsibilities, either elsewhere with the adviser or with outside firms, and who did not appear to devote sufficient time to fulfilling their responsibilities as CCO. While CCOs may have multiple responsibilities, OCIE observed instances where such CCOs did not appear to have time to develop their knowledge of the Advisers Act or fulfill their responsibilities as CCO.
  • Compliance staff that did not have sufficient resources to implement an effective compliance program. OCIE staff observed advisers that did not appear to devote sufficient resources, such as a lack of adequate training or insufficient staff, to their compliance functions. This affected the implementation of the compliance policies and procedures the adviser had adopted and compliance with fundamental regulatory requirements.
  • Advisers that had significantly grown in size or complexity, but had not hired additional compliance staff or added adequate information technology, leading to failures in implementing or tailoring their compliance policies and procedures.

Insufficient Authority of CCOs – OCIE staff observed CCOs who lacked sufficient authority within the adviser to develop and enforce appropriate policies and procedures. For example:

  • Advisers that restricted their CCOs from accessing critical compliance information.
  • Advisers where senior management appeared to have limited interaction with their CCOs, which led to CCOs having limited knowledge about the firm’s leadership, strategy, transactions, and business operations.
  • Instances where CCOs were not consulted by senior management and employees of the adviser regarding matters that had potential compliance implications.

Annual Review DeficienciesOCIE staff observed advisers that were unable to demonstrate that they performed an annual review or whose annual reviews failed to identify significant existing compliance or regulatory problems. For example:

  • Evidence of annual review. Advisers that claimed to engage in ongoing or annual compliance reviews of their policies and procedures to determine their adequacy and effectiveness of their implementation, but could not provide evidence that one occurred.
  • Identification of risks. Advisers that claimed to have performed limited annual reviews but failed to identify or review key risk areas applicable to the adviser, such as conflicts and protection of client assets.
  • Review of significant aspects of adviser’s business. Advisers that failed to review significant areas of their business, such as policies and procedures surrounding the oversight and review of cybersecurity and the calculation of fees and allocation of expenses.

Implementing Actions Required by Written Policies and Procedures – OCIE staff observed advisers that did not implement or perform actions required by their written policies and procedures. For example, staff observed advisers that did not:

  • Train their employees.
  • Implement compliance procedures regarding trade errors, advertising, best execution, conflicts, disclosure and other requirements.
  • Review advertising materials.
  • Follow compliance checklists and other processes, including backtesting fee calculations and testing business continuity plans.
  • Review client accounts, e.g., to assess consistency of portfolios with clients’ investment objectives, on a periodic basis or on a schedule required in the adviser’s policies.

Maintaining Accurate and Complete Information in Policies and ProceduresThe staff observed advisers’ policies and procedures that contained outdated or inaccurate information about the adviser, including off-the-shelf policies that contained unrelated or incomplete information.

Maintaining or Establishing Reasonably Designed Written Policies and Procedures – OCIE staff observed advisers that did not maintain written policies and procedures or that failed to establish, implement, or appropriately tailor written policies and procedures that were reasonably designed to prevent violations of the Advisers Act. For example, staff observed advisers that claimed to rely on cursory or informal processes instead of maintaining written policies and procedures.

Where firms maintained written policies and procedures, OCIE staff observed deficiencies or weaknesses with establishing, implementing or appropriately tailoring their written policies and procedures in the following areas, among others: (i) monitoring compliance with client investment strategies, (ii) oversight of service providers and branch offices, (iii) compliance with regulatory and client investment restrictions and investment advisory agreements, (iv) oversight of the use and accuracy of performance advertising, (v) accuracy of Form ADV and client communications, (vi) fee billing processes, including how fees are calculated, tested, or monitored for accuracy, (vii) expense reimbursement policies and procedures, (viii) valuation of client assets, (ix) privacy and cybersecurity, (x) maintenance of required books and records, (xi) custody of client assets and (xii) business continuity plans.

In light of this Risk Alert, private fund advisers should review their written policies and procedures to ensure that they are tailored to the advisers’ business and adequately reviewed and implemented. In addition, advisers should ensure that their CCOs have adequate resources and authority to implement and oversee an effective compliance program.