On Nov. 19, 2020, the SEC’s Office of Compliance Inspections and Examinations and its director provided unprecedented guidance with respect to the responsibilities of private fund managers and their chief compliance officers. The public guidance, which is consistent with comments we have observed from OCIE examination staff, identifies numerous strengths and weaknesses of the compliance programs of SEC-registered investment advisers. Private fund managers and their CCOs should evaluate their compliance programs in light of this guidance.
As is customary, the Director of OCIE, Peter Driscoll, addressed the annual Investment Adviser/Investment Company Outreach program; he presented statistics for the 2020 fiscal year (e.g., conducting over 2,950 examinations, holding 300 outreach events, issuing a cybersecurity report and publishing eight risk alerts) and highlighted areas of focus during the year (including Regulation Best Interest and Form CRS compliance, LIBOR transition preparedness and asset verification).
What was less customary was a plain English direction to senior management at private fund managers and other investment managers about compliance resource and support levels. Summarized in three words as “empowerment, seniority and authority,” the Director gave a very straightforward assessment of shortcoming he sees, highlighting that:
“We notice when a CCO holds one or more roles in a firm and is inattentive to their compliance responsibilities.
We notice when a firm positions a CCO too low in the organization to make meaningful change and have a substantive impact, such as a mid-level officer or placed under the CFO function.
We notice when CCOs are expected to create policies and procedures, but are not given the resources to hire personnel or engage vendors to provide systems to implement those policies and procedures.
We notice when a CCO is replaced because they challenge questionable activities or behavior.
We notice when a CCO is trotted out for an examination or sits silently in the corner in compliance discussions, overshadowed by firm senior officers.
We notice when a firm puts responsibility on the CCO for a failure of an employee or an officer to follow a firm policy or procedure.”
The direction to senior management, and its implicit warning, could not be clearer: “CCOs should not and cannot do it alone and should not and cannot be responsible for all compliance failures.”
The Director contrasted these troubling observations with positive ones, noting that “we do also see good practices where CCOs are routinely included in business planning and strategy discussions and brought into decision-making early-on … CCO access and interaction with senior management” and “prominence in the firm,” in general “demonstrable actions, not just words, supporting the CCO and compliance[.]” Factors mentioned in the speech that could fall under the “demonstrable actions” rubric include organizational and reporting lines, budget allocations and robust levels of dedicated staffing.
Registered advisers are required to conduct an annual review of the sufficiency of their compliance program and the efficacy of its implementation. The OCIE Director’s direction and warning should be incorporated into such reviews.
OCIE Examination Observations and Compliance Guidance
On the same day as the Director’s comments, OCIE released a Risk Alert entitled “OCIE Observations: Investment Adviser Compliance Programs” that focuses on examination deficiencies observed by OCIE staff, especially deficiencies that relate to Rule 206(4)-7 (“Compliance Rule”).
The Compliance Rule requires SEC-registered investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violation of the Investment Advisers Act (and the rules promulgated thereunder). The Compliance Rule does not specify a list of necessary actions to satisfy this requirement and, in the Risk Alert, OCIE instructs that “[e]ach adviser should adopt policies and procedures that take into consideration the nature of that firm’s operations. The policies and procedures should be designed to prevent violations from occurring, detect violations that have occurred and correct promptly any violations that have occurred.”
Annual and Interim Compliance Reviews. The Risk Alert notes that the annual compliance review required under the Compliance Rule should consider:
- Compliance matters that arose during the previous year;
- Changes in the business activities of the adviser or its affiliates; and
- Changes in the Advisers Act or applicable regulations that might suggest a need to revise an adviser’s policies or procedures.
In addition, the Risk Alert cites the 2003 SEC Adopting Release for the Compliance Rule in stating that “although the Compliance Rule requires only annual reviews, advisers should consider the need for interim reviews in response to significant compliance events, changes in business arrangements, and regulatory developments.”
This intra-year review point should not be ignored or glossed over. When combined with the Director’s statements and the numerous deficiencies and concerns identified in the Risk Alert, rote reliance on a single annual compliance review may be seen as problematic by the SEC examination staff, and could be particularly problematic if an actual deficiency contributes to harm to clients or a substantive violation of the federal securities laws.
Concerns over Inadequate Compliance Resources. The Risk Alert identifies several issues and concerns related to “inadequate compliance resources.” These concerns include situations involving:
- “Dual hatted” CCOs who do not appear to have sufficient knowledge of the Investment Advisers Act or of their compliance responsibilities under the Act or who do not appear to devote sufficient time to fulfilling (and who may not in fact be fulfilling) their CCO responsibilities; and
- Situations where advisers that “had significantly grown in size or complexity” have not increased their compliance headcount and have not invested in additional information technology resources, resulting in compliance-related deficiencies and failures.
OCIE also referenced numerous examples of CCOs “who lacked sufficient authority within the adviser to develop and enforce appropriate policies and procedures for the adviser.” As support for this shortcoming, the Risk Alert cited situations where CCOs were restricted from accessing critical compliance information, where senior non-compliance personnel only had limited interaction with the CCO, where CCOs’ knowledge about their firms’ investment and business operations was unreasonably limited and where CCOs simply were not consulted on matters that potentially had compliance implications.
Annual Review Deficiencies. Annual reviews were also expressly identified as a concern area, with the Risk Alert expressing concern over annual reviews that could not be substantiated in writing, that failed to identify key risk areas for the adviser, or that did not address areas of significant risk for the adviser and its business (with oversight and review of third-party managers, cybersecurity, fee calculations and expense allocations being identified as areas of “significant” risk).
“Follow Through” Failures. The Risk Alert highlighted numerous areas where advisers failed to carry out actions required to be taken under their compliance policies or failed to follow through on processes that were in place. These “follow through” failures collectively included:
- Inadequate training programs;
- Absences of compliance checklists and similar processes;
- Failures to implement procedures for numerous categories of policies;
- Inadequate or absent testing programs; and
- Outdated or inaccurate information (including the use of “off-the-shelf policies”).
Specific Shortfall Areas. The Risk Alert also includes the following, fairly lengthy, list of specific areas where “OCIE staff observed deficiencies or weaknesses with establishing, implementing or appropriately tailoring their written policies and procedures”:
- Due diligence and oversight of outside managers.
- Monitoring compliance with client investment and tax planning strategies.
- Oversight of third-party service providers.
- Due diligence and oversight of investments, including alternative assets.
- Oversight of branch offices and investment advisory representatives to ensure they are complying with the adviser’s policies and procedures.
- Compliance with regulatory and client investment restrictions.
- Adherence with investment advisory agreements.
- Oversight of solicitation arrangements.
- Prevention of the use of misleading marketing presentations, including on websites.
- Oversight of the use and accuracy of performance advertising.
- Allocation of soft dollars.
- Best execution.
- Trade errors.
- Restricted securities.
- Accuracy of Form ADV.
- Accuracy of client communications.
Advisory Fees and Valuation
- Fee billing processes, including how fees are calculated, tested or monitored for accuracy.
- Expense reimbursement policies and procedures.
- Valuation of advisory client assets.
Safeguards for Client Privacy
- Regulation S-P.
- Regulation S-ID.
- Physical security of client information.
- Electronic security of client information, including encryption policies.
- General cybersecurity, including access rights and controls, data loss prevention, penetration testing and/or vulnerability scans, vendor management, employee training or incident response plans.
Required Books and Records. Written policies and procedures to make and keep accurate books and records as required under Rule 204-2 under the Advisers Act.
Safeguarding of Client Assets. Written policies and procedures regarding custody and safety of client assets.
Business Continuity Plans. The maintenance of adequate disaster recovery plans because the business continuity plans were not tested or did not contain contact information or designate responsibility for business continuity plan actions.
Action Items for Investment Fund Managers
These public statements may provide important indications of OCIE’s examination approach going forward. Private fund managers of all sizes and types should carefully read both of these documents and should be reviewing the level of investment in their compliance programs and personnel. This should not be a siloed, technical effort — OCIE has clearly expressed a desire for all members of senior managements to be focused on the high bar set by the Risk Alert.
The coming months will see significant changes with a new Presidential administration and a new SEC Chairman. Fund managers should address the specific points just identified by OCIE and its director to be prepared for scrutiny in the new year.