First published in LinkedIn, December 23, 2015
As part of the annual review of an investment adviser’s compliance program, it’s a best practice to review the regulatory compliance manual to ensure that it is up to date and reflects the firm’s current practices. Sadly, however, the only readers of the manual are generally an adviser’s Chief Compliance Officer (“CCO”) and SEC staff during an examination. I would encourage all CCOs first to read the manual very carefully – especially in this era where CCOs are subject to their fair share of regulatory scrutiny. The CCO should make sure that the responsibilities included in the manual are in line with the regulatory requirements, and reflect what the CCO actually does.
Under Rule 206(4)-7, federally registered investment advisers are required (1) to “adopt and implement written policies and procedures reasonably designed to prevent violation” of the Advisers Act, (2) to review at least annually “the adequacy of the policies and procedures” and the “effectiveness of their implementation” and (3) to designate an individual “responsible for administering the policies and procedures that you adopt.”
In recent speeches and administrative proceedings, however, the SEC stated that it will go after CCOs who have participated in misconduct, have misled regulators, and when they have clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility. The rule, however, does not support the last part of this statement. Rule 206(4)-7 says that investment advisory firms are responsible for implementing written policies and procedures reasonably designed to prevent violation of the Advisers Act and its accompanying rules, and the CCO is responsible for administering those policies and procedures.*
Administer and implement are not interchangeable terms. According to Merriam-Webster’s dictionary, “administer” means to manage or supervise the execution, use, or conduct of, and “implement” means to give practical effect to and ensure of actual fulfillment by concrete measures. As noted by SEC Commissioner Daniel M. Gallagher in his dissent to settlements involving CCOs, Rule 206(4)-7 offers “no guidance as to the distinction between the RIA’s responsibility to adopt and implement policies and procedures and the CCO’s role to administer them.” He said the rule provides that “ultimate responsibility for implementation of policies and procedures rests with the adviser itself” and not the CCO.
As a practical matter, most compliance officers do not have the authority to implement the firm’s policies and procedures. They have little say over the firm’s budget, employment practices, or overall strategy, and very few tools to hold employees accountable for compliance failures. Where a compliance officer can make a difference is in the firm’s policies and procedures, and they should take full advantage of the annual review process to ensure that the manual reflects what is actually happening (or should be happening) in the firm.
The CCO should make sure that “compliance” is not taking on more responsibility than it should. The SEC can (and does) impose liability on individuals for failing to carry out their duties based on a firm’s policies and procedures, even where they are more stringent than the law. Additionally, the CCO should not be responsible for areas where he/she does not have sufficient expertise or is not in a position to effectively supervise the employees responsible for carrying out a specific procedure or policy.
The only areas where the Advisers Act specifically mentions the CCO’s responsibilities are in Rule 206(4)-7 (administering firm’s policies and procedures), and in Rule 204A-1, the Code of Ethics rule, which says that violations of the code must be reported to the CCO, and that personal holdings and transaction reports must be submitted to the CCO (or a designee).
What does it mean to “administer” the firm’s compliance policies and procedures? The SEC has not given guidance, so this is an opportunity for CCOs to define their role and those of other areas of the firm. Generally the CCO should be responsible for:
- Helping draft policies and procedures to meet the firm’s regulatory and fiduciary obligations;
- Providing advice on how to conduct business in accordance with the Advisers Act and accompanying regulations, as well as other applicable laws; and
- Monitoring and testing to verify that firm policies and procedures are being followed, and that they are effective.
Other areas of the firm should perform their tasks in accordance with the procedures, and the managers of those areas should be held accountable for oversight. For example, to ensure the privacy of client data, the IT department or operations personnel should be responsible for ensuring the firm has effective firewalls, up-to-date malware and virus protection, and control over access to the firm’s server and data storage. The head of IT or Chief Operations Officer is responsible for making sure the employees he or she supervises are performing these duties. The CCO is in charge of periodically requesting proof that the firewalls haven’t been breached and that the firm’s virus protection software is current. The policy and procedure for protecting the privacy of client information would state that IT or Operations is responsible for carrying out this task, the supervisor of that department is responsible for oversight, and the CCO is responsible for periodically auditing the process to make sure it is being carried out, issues are being handled and escalated as necessary, and providing advice on compliance with regulatory requirements.
Cover the Basics
- Portfolio management processes, including allocation of investment opportunities among clients and consistency of portfolios with clients’ investment objectives, disclosures by the adviser, and applicable regulatory restrictions;
- Trading practices, including best execution and soft dollars, and other services (“soft dollar arrangements”), and allocation of aggregated trades among clients;
- Conflicts of interest, including the personal trading activities of supervised persons;
- The accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements;
- Safeguarding of client assets from conversion or inappropriate use by advisory personnel;
- The accurate creation of required records and their maintenance;
- Marketing advisory services, including the use of solicitors;
- Valuation and assessment of fees;
- Protection of the privacy of client records and information; and
- Business continuity plans.
Next, the manual should address regulatory requirements, such as the Form ADV update, preparing and filing Form PF (if applicable), filing Form 13D, Form 13H, and Schedule 13G, etc. Other requirements under the Advisers Act that should be addressed include proxy voting, and political contributions. The manual should also cover other regulations that apply to your specific business, such as special treatment and disclosure for accounts containing ERISA assets, Investment Company Act requirements, audits of satellite offices, procedures for marketing interests in private funds, and compliance with CFTC regulations. The compliance manual may also contain procedures for complying with any SEC exemptive orders applicable to the firm and procedures to address deficiencies noted in prior SEC examinations.
Engage all Areas of the Firm
During an SEC exam, the staff reads a firm’s compliance manual and expects that this document reflects how a firm operates. The problem for many firms is that the manual is too vague, stating that “the firm” is responsible for ensuring a specific policy is followed. In this situation, no employee or area of the firm is accountable for compliance. Alternatively, firms may also mistakenly assign to the CCO all responsibility for ensuring that all policies and procedures are being followed. Not only is this approach impractical, it is not humanly possible.
To make the firm “own” compliance, the CCO should get employees involved in the drafting and revision of the manual. No one wants to read the policies and procedures, so make it an engaging process. Set up a meeting with each area within the firm to go over the sections of the manual that apply to that area. For example, provide the traders with the allocation and aggregation policies and procedures and review the language. Ask them to describe the trading process from start to finish to see if the procedure reflects the actual practice. For example, who gives the order for the trade? How does the trader select the broker to execute the trade? How does the trader aggregate and allocate the order across participating accounts? Who checks to confirm that the trades were implemented and allocated correctly? Who reviews the trade blotter at the end of the day?
The CCO should revise the procedures based on input received, and require the supervisor to review and approve them. Supervisors then have accountability for those procedures. The goal is to have a procedure that reflects what actually happens, identifies who is supposed to perform various tasks, and assigns responsibility for supervising the activity. Don’t cover every single contingency or specify the various reports run or software being used, but make sure that everyone knows what their duties are.
Admittedly this is a lot of work, at least for the initial review. But it serves several purposes. First, it gets people to read the manual. There is nothing more embarrassing (and demoralizing) than to have the SEC staff read a policy aloud during an exam, and have firm employees admit that they were unaware that the manual included that particular provision. Second, it helps reinforce the message the compliance is a firm-wide obligation that is embedded in the day-to-day operations of the firm. Third, it is a great learning experience for the CCO. It is an opportunity to get to know others within the firm, what they do, how they do it, and what obstacles they face. Finally, it requires different areas of the firm to take ownership of the policies and procedures applicable to them.
Two (or more) heads are better than one
Consider whether a group or committee is a better venue for overseeing certain policies and procedures. For example, in complex areas such as best execution and soft dollars, a committee with representatives from trading, portfolio management, operations, compliance and legal, is a way to bring the relevant experience and expertise to the table. Likewise, a working group with representatives from operations, trading, IT and compliance may be better suited for evaluating the firm’s data security and business continuity plans. The CCO may also want to bring together portfolio managers, the CEO, and the COO to determine potential sanctions and requests for exemptions under the Code of Ethics. Working groups and committees require participation and understanding of the firm’s policies and procedures. They also encourage communication among areas of the firm.
We are not alone
CCOs should strive to transform the compliance manual into a useful document that helps firms understand their regulatory and fiduciary obligations, instead of a dusty doorstop. More often than not, the annual review of the compliance manual is performed by the CCO alone, and only reflects recent changes to the law and the hot topics from regulators. Given the SEC’s increasingly aggressive prosecution of advisers for failure to comply with Rule 206(4)-7, it’s time to use the manual to define the roles of all areas of the firm in implementing the compliance program. CCOs can seize this opportunity to capitalize on the SEC’s failure to provide guidance, and define for themselves what it means to administer the compliance program.
*David Porteous, from the law firm of Faegre Baker Daniels, deserves the credit for this idea, which he presented at a meeting of Cleveland-area Chief Compliance Officers. Thanks David!