The SEC's Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert related to Rule 206(4)-7 (the “Compliance Rule”) under the Investment Advisers Act of 1940 (“Advisers Act”).
Deficiencies related to the Compliance Rule have been among the most common cited by OCIE. Under the Compliance Rule, it is unlawful for an investment adviser registered with the Commission (“adviser”) to provide investment advice unless the adviser has adopted and implemented written policies and procedures reasonably designed to prevent violation of the Advisers Act and the rules thereunder by the adviser or any of its supervised persons. The Compliance Rule requires advisers to consider their fiduciary and regulatory obligations under the Advisers Act and to formalize policies and procedures to address them.
The Alert details common deficiencies, including:
- OCIE staff observed advisers that did not devote adequate resources, such as information technology, staff and training, to their compliance programs.
- CCOs who had numerous other professional responsibilities, either elsewhere with the adviser or with outside firms, and who did not appear to devote sufficient time to fulfilling their responsibilities as CCO.
- Compliance staff that did not have sufficient resources to implement an effective compliance program.
- Advisers that had significantly grown in size or complexity, but had not hired additional compliance staff or added adequate information technology, leading to failures in implementing or tailoring their compliance policies and procedures.
- Advisers that restricted their CCOs from accessing critical compliance information, such as trading exception reports and investment advisory agreements with key clients.
- Advisers where senior management appeared to have limited interaction with their CCOs, which led to CCOs having limited knowledge about the firm’s leadership, strategy, transactions, and business operations.
- Instances where CCOs were not consulted by senior management and employees of the adviser regarding matters that had potential compliance implications.
- Evidence of annual review. Advisers that claimed to engage in ongoing or annual compliance reviews of their policies and procedures to determine their adequacy and effectiveness of their implementation, but could not provide evidence that one occurred.
- Identification of risks. Advisers that claimed to have performed limited annual reviews but failed to identify or review key risk areas applicable to the adviser, such as conflicts and protection of client assets.
- Review of significant aspects of adviser’s business. Advisers that failed to review significant areas of their business, such as policies and procedures surrounding the oversight and review of recommended third-party managers, cybersecurity, and the calculation of fees and allocation of expenses.
