News & Insights

OCIE Risk Alert: common compliance program issues

WHAT HAPPENED?

On Nov. 19, 2020, the Office of Compliance Inspections and Examinations of the U.S. Securities and Exchange Commission (OCIE) released a Risk Alert outlining common compliance concerns among registered investment advisers. The list was compiled based on recent compliance examinations of advisers.

Common deficiencies examiners found were often related to violations of the Compliance Rule, which mandates that advisers design, adopt, and implement written policies and procedures to prevent violations of the Advisers Act, that the policies and procedures are reviewed at least annually, and that each adviser designate a Chief Compliance Officer to oversee the firm’s compliance program.

Key takeaways from OCIE’s findings are below:

KEY TAKEAWAYS

  • Advisers had poor internal resources; common issues included:
    • CCOs that did not have time to fulfill their compliance duties or study the Advisers Act because they were assigned or committed to other non-compliance related activities within their firms;
    • Firms provided little or no employee training programs or did not have enough staff designated to carry out compliance functions; and
    • Firms that grew substantially but did not train additional compliance staff or add compliance resources to meet expanded needs.
  • CCOs were not granted appropriate authority to carry out all compliance functions, such as:
    • Not having access to key documents like investment advisory agreements or trading exception reports;
    • CCOs having inadequate interaction with other senior members of the firm, leading to gaps in knowledge of the firm’s operations; and
    • Employees outside of the compliance department not contacting the CCO regarding situations that may have compliance implications.
  • Advisers had deficient annual review practices that either did not take place or did not identify compliance issues, including:
    • Claims that an annual review occurred without any supporting documentation or evidence to prove it occurred;
    • Advisers who claimed to have conducted a limited annual review but failed to identify areas of risk specific to the firm; and
    • Failure to review significant areas of the adviser’s business, like cybersecurity practices, throughout review efforts.
  • Advisers did not implement all practices required by their policies and procedures, these included failure to:
    • Train employees;
    • Implement policies and procedures for all requirements;
    • Properly review advertising and marketing materials;
    • Abide by all compliance checklists; and
    • Conduct review of client accounts.
  • Advisers had policies and procedures that were not updated properly or contained outdated information; some used boilerplate policies and procedures with irrelevant or incomplete information.
  • Advisers did not maintain written policies and procedures at all or relied on policies from an affiliate, such as a broker-dealer, that did not address adviser-specific issues.
  • Weak policies and procedures were noticed among firms in areas such as:
    • Portfolio management, including due diligence practices and oversight of third-party vendors, or adherence to investment advisory agreements;
    • Marketing, including oversight of solicitation arrangements and performance advertising;
    • Trading practices, including best execution, trade errors, and restricted securities;
    • Disclosures, including inaccuracies on Form ADV disclosures and client communication errors;
    • Fees and valuation, including billing process policies or practices for valuating client assets;
    • Client privacy safeguards, including Regulations S-P and S-ID and general cybersecurity practices;
    • Policies and procedures to require proper books and records, as required under the Advisers Act;
    • Policies and procedures for safeguarding client assets, including those regarding custody; and
    • Business continuity and disaster recovery plans, including plan testing and information about designated response actions and persons responsible for those actions.

WHAT DOES THIS MEAN FOR ME?

OCIE’s observations can be used proactively by advisers to avoid receiving deficiencies on upcoming routine examinations. Designing, adopting, and implementing strong policies and procedures are essential and foundational to a successful compliance program.

Fairview can provide comprehensive compliance support and help you prepare for and participate in SEC examinations. Our affiliates, Fairview Performance Services, which offers performance related services, and Fairview Cyber, which offers vendor management and cybersecurity services, can also help your firm meet regulatory compliance and client expectations. Reach out to us today for more information on what we can do for your firm.