United States: SEC's OCIE Publishes Risk Alert Providing Its Observations Of Investment Adviser Compliance Programs

On November 19, 2020, the Office of Compliance Inspections and Examinations ("OCIE") of the US Securities and Exchange Commission ("SEC") published a risk alert¹ ("Risk Alert") discussing its observations from a series of examinations that focused on SEC-registered investment advisers ("Advisers") related to the compliance rule (Rule 206(4)-7 under the Investment Advisers Act of 1940, as amended ("Advisers Act")). The Risk Alert covers a fairly comprehensive set of compliance program deficiencies the OCIE staff (the "Staff") has identified in a sample of deficiency letters from recent Adviser examinations. On the same day, at OCIE's National Investment Adviser/Investment Company Compliance Outreach 2020 seminar, OCIE Director Peter Driscoll made opening remarks (the "2020 OCIE Director Speech") that focused on the role of an Adviser's Chief Compliance Officer ("CCO").² Because the Risk Alert and the 2020 OCIE Director Speech focus on similar issues, this Legal Update summarizes both.

Compliance Rule Deficiencies and Weaknesses Identified by OCIE in the Risk Alert

Although not meant to be a complete list of all deficiencies found, OCIE makes the following observations of what it viewed as inadequate compliance programs in the Risk Alert:

1. Inadequate Compliance Resources - The Staff observed that certain Advisers did not devote adequate resources to compliance, including information technology, staff and training. Specifically, the Staff cited to the following deficiencies:
   • Certain CCOs had numerous other professional responsibilities and did not appear to devote sufficient time to fulfilling their responsibilities or develop their knowledge of the Advisers Act;
   • Certain compliance staff did not have sufficient resources to implement an effective compliance program resulting in insufficient implementation of compliance policies and procedures, including annual reviews of compliance programs, inaccurate Form ADV filings, and delayed responsiveness upon OCIE requests for required books and records; and
   • For certain Advisers that had significantly grown in size or complexity, the Staff observed that these advisory firms had not hired additional compliance staff or added adequate information technology to keep abreast of that growth, leading to failures in implementing or tailoring compliance policies and procedures; December 7, 2020 2 Mayer Brown | SEC's OCIE Publishes Risk Alert Providing Its Observations of Investment Adviser Compliance Programs
2. Insufficient Authority of CCOs - The Staff observed certain CCOs who lack sufficient authority to develop and enforce appropriate policies and procedures. EXAMPLES:
   • Certain Advisers that restricted CCO access to critical compliance information, such as trading exception reports and investment advisory agreements with key clients;
   • Senior management of certain Advisers limited interaction with their CCOs, resulting in limiting the knowledge of firm leadership, strategies, transactions and business operations; and
   • Instances in which the CCOs of certain Advisers were not consulted by senior management and employees regarding compliance matters.
3. Annual Review Deficiencies - OCIE Staff observed that certain Advisers were unable to demonstrate performance of annual reviews of compliance policies and procedures.³ The Staff also observed that annual reviews of certain Advisers failed to identify significant existing compliance or regulatory problems (inferring, ostensibly, that an annual review would be insufficient unless significant compliance problems were identified). In this regard, the Staff observed certain Advisers:
   • Claiming to have engaged in ongoing or annual compliance reviews but not being able to produce evidence that in fact they had.
   • Claiming to have engaged in compliance reviews but failing to identify or review key risk areas, such as conflicts and safeguarding client assets.
   • Failing to review significant areas of their businesses, such as oversight and review of third-party managers, cybersecurity, fee calculations and allocations of expenses.
   • As a practice pointer, the Staff brings a level of skepticism that an Adviser has performed an annual review, or even a "rolling" review, if there is no written report or summary as evidence that a review has taken place. The same degree of skepticism applies if any written report contains no findings pertaining to the effectiveness of compliance policies and procedures. As a general matter, we frequently recommend that an Adviser record compliance issues, problems, inadequacies or breaches in a compliance log, but only after any of these issues have been resolved so that the resolution will be recorded at the same time. Then, when the log is reviewed and included in an annual review, that review will also reflect corrective action.
4. Implementing Actions Required by Written Policies and Procedures - The Staff observed certain Advisers that did not perform or implement actions required by their own written policies and procedures. EXAMPLES of what such advisers did not do include:
   • Train employees;
   • Implement procedures such as trade errors, advertising, best execution, conflicts, and disclosure;
   • Review advertising materials;
   • Follow compliance checklists, backtesting fee calculations and testing business continuity plans; and
   • Review client accounts for consistency with client investment objectives.
5. Maintaining Accurate and Complete Information in Policies and Procedures - The Staff observed outdated or inaccurate information in policies and procedures of certain Advisers, including off-theshelf policies with unrelated or incomplete information.
6. Maintaining or Establishing Reasonably Designed Written Policies and Procedures - The Staff observed that certain Advisers did not maintain written policies and procedures or failed to write policies and procedures designed to prevent violations of the Advisers Act. The Staff also found that certain Advisers used policies of affiliated entities that were not tailored to the advisers business. Specific deficiencies and weaknesses included:
   • Portfolio management deficiencies in:
     • Due diligence and oversight of outside managers,
     • Monitoring compliance with client investment and tax planning strategies,
     • Oversight of third-party service providers,
     • Due diligence and oversight of investments such as alternative assets,
     • Oversight of branch offices and advisory representatives to ensure compliance with policies and procedures,
     • Compliance with regulatory and client investment restrictions, and
     • Adherence to investment advisory agreements;
   • Marketing:
     • Oversight of solicitation agreements,
     • Prevention of the use of misleading marketing presentations, including on websites, and
     • Oversight of the use and accuracy of performance advertising;
   • Trading practices:
     • Allocation of soft dollars,
     • Best execution,
     • Trade errors, and
     • Restricted Securities;
   • Disclosures ? Accuracy of Form ADV, and
     • Accuracy of client communications;
   • Advisory fees and valuation:
     • Fee billing processes, including fee calculations, testing and monitoring for accuracy,
     • Expense reimbursement policies and procedures, and
     • Valuation of advisory client assets;
   • Safeguarding for client privacy:
     • Regulation S-P,
     • Regulation S-ID,
     • Physical security of client information,
     • Electronic security of client information, including encryption policies, and
     • General cybersecurity, including access rights and controls, data loss prevention, penetration testing and/or vulnerability scans, vendor management, employee training or incident response plans;
   • Required books and records;
   • Safeguarding of client assets; and
   • Business continuity plans.

In concluding the Risk Alert, OCIE encouraged advisers to review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are tailored to the advisers' business and adequately reviewed and implemented.

2020 OCIE Director Speech

As noted above, the Director of OCIE provided opening remarks at OCIE's 2020 national compliance outreach seminar for Advisers, which touched on related compliance topics described in the Risk Alert. Mr. Driscoll began his remarks by summarizing OCIE's recent interactions with Advisers since the onset of the COVID-19 pandemic ("COVID-19"). He noted that OCIE continues to conduct examinations of Advisers through correspondence (in lieu of traditional on-site examinations) and offered certain initial observations with respect to the Adviser business continuity policies ("BCPs"). He noted that most Advisers had BCPs in place that were activated as a result of COVID-19 and that BCP-related issues and concerns raised by firms varied. He explained that many of the BCP implementation issues have been minor and were addressed quickly but that some of the issues required a little more creative thinking, such as addressing the loss of critical personnel to illness and developing procedures to effectively handle the travel bans and local and regional lockdowns, addressing the lack of childcare for workers, and tele-school demands. He also noted that more active revisiting and monitoring will be required for other concerns or challenges, such as cybersecurity and data protection, market volatility and spiked volume, Advisers maintaining their financial solvency, and customers with financial hardships. He also stated that Advisers may be presented with new challenges, including, as an example, remote due diligence on service providers and sub-advisers, and stated that new technology adopted to address business or compliance needs during COVID-19 may bring with it risks that will need to be evaluated by skilled and knowledgeable compliance departments.⁴

The remainder of his remarks focused on the CCO. He noted that as stated in the adopting release to the Advisers Act's compliance rule, CCO should be competent and knowledgeable regarding the Advisers Act; should be empowered with full responsibility and authority to develop, implement, and enforce appropriate policies and procedures for the firm; and that a CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.⁵ In particular, he noted that the above three bolded words matter and noted certain instances where OCIE has observed that Advisers may not have fully embraced these concepts with respect to the CCO. OCIE has observed Advisers:

• Taking a "check-the-box" approach to the CCO requirement, merely looking at it as a way to satisfy the rule as opposed to thinking of the role as an essential component of running an advisory or fund business and failing to sufficiently support or empower the CCO.
• Having a CCO with multiple roles in a firm, potentially making the person inattentive to their compliance responsibilities. (In this respect, some combinations of duties are compatible, such as combining the CCO role with the Chief Financial Officer role, and others may not be, such as combining the CCO role with marketing activities.)
• Positioning the CCO too low in the organization to make meaningful change and have a substantive impact, e.g., as a mid-level officer or a clerical staff member.
• Expecting the CCO to create policies and procedures but not giving them the resources to hire personnel or engage vendors to provide systems to implement those policies and procedures.
• Replacing the CCO because they challenged questionable activities or behavior
• Trotting out the CCO for an examination or having them sit silently in the corner in compliance discussions, overshadowed by firm senior officers.
• Assigning responsibility on the CCO for a failure of an employee or an officer to follow a firm policy or procedure.

Notwithstanding the above, Mr. Driscoll did note examples where OCIE has observed good practices with respect to the CCO, which included Advisers that:

• Routinely include CCOs in business planning and strategy discussions and bring them into decisionmaking early-on, not for appearances but for their meaningful input; and
• Provide CCOs with access to senior management, who value the CCOs and give the CCOs prominence in the firm.

He noted that a good CCO can be a true "value-add" to the business and that by keeping up with regulatory expectations and new rules, CCOs can assist in positioning their firms not only to avoid costly compliance failures, but also provide pro-active compliance guidance on new or amended rules that may provide advisers with additional business options.

Mr. Driscoll noted that it was important that CCOs be provided with adequate resources, including training, automated systems and adequate staff. This not only supports the Adviser's growth, but perhaps most importantly, "empowers" the CCO in his/her compliance mission. He explained that the CCO is not there to fill out irrelevant paperwork or serve as a scapegoat for the Adviser's failings, but that the compliance department should be fully integrated into the business of the Adviser for it to be effective.

In terms of authority, he noted that who a CCO reports to will vary depending on the size of the organization, the leadership structure, the experience of the CCO, and the compliance culture, but that at a minimum, a CCO should have a direct line of reporting to senior management, if not be part of senior management. Specifically, he noted that in all cases, a CCO should be empowered to address compliance weaknesses directly, and report concerns directly to senior management, no matter the source of problem.

With respect to the compliance budget, Mr. Driscoll stated that there is no standard or rule, but that the compliance budget is an area of focus during an OCIE examination, particularly where OCIE staff sees an underfunded compliance department. As such, he noted that Advisers should appropriately assess their own needs based on their business model, size, sophistication, adviser representative population and dispersion, and provide for sufficient resources as necessary for compliance with applicable laws.

In concluding his remarks, Mr. Driscoll noted the importance of an Adviser's compliance culture, specifically a culture of compliance supported by a sincere "tone at the top" by senior management. He reiterated that CCOs should be empowered, senior and have authority but should not and cannot do it alone and should not and cannot be responsible for all compliance failures.⁶

Footnotes

#1 OCIE Observations: Investment Adviser Compliance Programs, SEC OCIE Risk Alert (November 19, 2020), available at https://www.sec.gov/files/Risk%20Alert%20IA%20Compliance%20Programs_0.pdf

2 Speech by Peter Driscoll, Director of OCIE: The Role of the CCO - Empowered, Senior and With Authority, National Investment Adviser/Investment Company Compliance Outreach 2020 (November 19, 2020), available at https://www.sec.gov/news/speech/driscoll-role-cco-2020-11-19

3 It should be noted that Rule 206(4)-7 under the Advisers Act, the compliance rule, requires each CCO to review the adequacy of the adviser's policies and procedures on at least an annual basis. The rule does not require the annual review to be in writing. When an adviser does not have a written annual review, while not a violation of the compliance rule, it becomes challenging to prove that such a review took place.

4 2020 OCIE Director Speech.

5 See Release No. IA-2204, Compliance Programs of Investment Companies and Investment Advisers (Dec 17, 2003).

6 2020 OCIE Director Speech.