The Office of Compliance and Inspections ("OCIE") within the US Securities and Exchange Commission continues to issue valuable "risk alerts" summarizing the findings of recent regulatory inspections. The OCIE's most recent release focuses on asset manager compliance programs. Inadequate compliance resources, insufficient authority of the Chief Compliance Officer, failure of asset managers to actually do what the written compliance policies said...yep, the SEC found all that.
The OCIE's release "Investment Adviser Compliance Programs" (available here) outlines a list of compliance deficiencies identified by the SEC - and, of course, relevant to the scope of investor due diligence programs.
The key issues noted by the regulator are:
Inadequate Compliance Resources
- Chief Compliance Officers ("CCO") with "numerous other professional responsibilities" who "did not appear to devote sufficient time to fulfilling their responsibilities as CCO".
- Lack of training of compliance staff.
- Insufficient numbers of staff, impacting "fundamental regulatory requirements" such as the ability to perform annual compliance reviews or accurately complete and file form ADVs.
- Managers that had significantly grown in size or complexity but had not hired additional compliance staff or added adequate information technology.
Insufficient Authority of CCOs
- Managers restricting their CCO from accessing information such as trading exception reports or investment advisory agreements with key clients.
- Managers where senior management had limited interaction with the CCO, meaning that the compliance officer had "limited knowledge about the the firm's strategy, transactions and business operations."
- Instances where the CCO was not consulted by management or employees about matters which had potential compliance implications.
Annual Review Deficiencies
- Managers who could not provide any evidence of conducting an annual review of their firm's compliance program.
- Managers where annual reviews failed to identify key risks, such as conflicts of interest or protection of client assets.
- Managers where the annual review failed to include key areas such as review of recommended third party managers, cybersecurity, calculation of fees and allocation of expenses.
Implementing Actions Required by Written Policies and Policies (so walk the walk, not just talk the talk...)
- Managers failed to train their employees (!!).
- Failure to implement compliance policies around trade errors, advertising, best execution or disclosures.
- Failure for compliance to review advertising materials.
- Failure to follow compliance checklists, such as failure to backtest fee calculation or test business continuity plans.
- Failure to review client accounts for consistency of portfolios with client investment objectives.
Maintain Accurate and Complete Policies and Procedures
"The staff observed adviser's policies and procedures that contained outdated or inaccurate information about the adviser, including off the shelf policies and contained unrelated or incomplete information."
Maintain Reasonably Designed Written Policies and Procedures
Finally, the OCIE has identified numerous areas where asset managers have failed to establish adequate compliance policies, resulting in a list of potential weaknesses, including:
- Due diligence and oversight of outside managers.
- Monitoring compliance with client investment and tax planning strategies.
- Oversight of third-party service providers.
- Due diligence and oversight of investments, including alternative assets.
- Oversight of branch offices and investment advisory representatives to ensure they are complying with the adviser’s policies and procedures.
- Compliance with regulatory and client investment restrictions.
- Adherence with investment advisory agreements.
- Oversight of solicitation arrangements.
- Prevention of the use of misleading marketing presentations, including on websites
- Oversight of the use and accuracy of performance advertising.
- Allocation of soft dollars.
- Best execution.
- Trade errors.
- Accuracy of Form ADV.
- Accuracy of client communications.
- Fee billing processes, including how fees are calculated, tested, or monitored for accuracy.
- Expense reimbursement policies and procedures.
- Valuation of advisory client assets.
- Physical security of client information.
- Electronic security of client information, including encryption policies.
- General cybersecurity, including access rights and controls, data loss prevention, penetration testing and/or vulnerability scans, vendor management, employee training or incident response plans.
- Written policies and procedures to make and keep accurate books and records as required under Rule 204-2 under the Advisers Act.
- Written policies and procedures regarding custody and safety of client assets.
- Business continuity plans. The maintenance of adequate disaster recovery plans because the business continuity plans were not tested or did not contain contact information or designate responsibility for business continuity plan actions.
Overall, where are the SEC going? Some key themes:
- Asset managers must have sufficient compliance resources.
- Managers must have evidence of their compliance programs in operation (so evidence, including evidence of testing).
- Compliance programs must be tailored to the manager's business, not generic, boiler plate, and over-lawyered.
- Fees and expenses charged to clients are a key area of focus: any error in fee calculation (or failure to disclose fees) is a related party transaction, which is not subject to a materiality threshold.
- Conflicts of interest must be managed and disclosed.
As always, plenty of topics for operational due diligence!