How to design investment adviser compliance programs

December 17, 2007

Printer-friendly version

Five questions for investment advisers and some helpful resources

Registered investment advisers are required to adopt and implement internal control procedures to prevent their firms and their supervised persons from violating any of the provisions of the Investment Advisers Act (the Advisers Act). The broad requirement to act affirmatively to prevent all violations is a Pandora’s box of uncertainty for investment advisers as they consider how to fashion meaningful compliance programs.

The compliance program rule, Securities and Exchange Commission Rule 206(4)-7, is relatively simple but broadly encompassing. A registered investment adviser must:

• Adopt and implement written policies and internal control procedures reasonably designed to prevent violation of the Advisers Act and of the rules of the SEC under the Advisers Act by the adviser and its supervised persons;

• Designate a chief compliance officer (CCO) with responsibility for administering the policies and procedures; and

• Review, at least annually, the adequacy of the policies and procedures and the effectiveness of their implementation.

Although the requirement to have a compliance program is simple and straightforward, the rule leaves open the question of how the adviser should go about “reasonably designing” a compliance program.

Requirements for the content of adviser compliance programs are not specified in the compliance program rule, or in any other SEC rules. The premise of the rule is that each adviser must take the general requirement — to adopt policies and procedures that are reasonably designed to prevent violations of the Advisers Act and related rules and regulations — and fashion its own written compliance program with terms that are tailored to the specific nature of its own operations. In other words, one size does not fit all; all must fashion programs suited to their own individual sizes and shapes.

By working through the answers to the following five questions, a registered investment adviser can develop a compliance program that meets the regulatory requirements.

1. Is your CCO able to administer your compliance program?

The compliance program rule requires advisers to designate a CCO who is responsible for administering its compliance policies and procedures. From an organizational and personal standpoint, the CCO has responsibility for making the compliance policies and procedures work, so it makes sense for an adviser to start by considering what the qualifications for its CCO should be and who can best fill that role. SEC guidance provides that the CCO should be competent and knowledgeable about the Advisers Act and should have full authority to develop and enforce appropriate policies and procedures.

In order to properly administer the program, the CCO will need to:

• Be fully aware of the adviser’s operations;

• Run the compliance program and verify that its provisions are being enforced;

• Seek out information concerning ongoing regulatory changes under the Advisers Act; and

• Propose and seek the adoption of changes in the program from time to time in order to assure that the program will continue to provide reasonable assurance of compliance with the rules and regulations under the Advisers Act.

In large organizations with complex operations, the CCO may need to be a full-time dedicated individual with appropriate staff support. In small advisory firms, the CCO may wear several other hats. Some firms may choose to outsource the CCO function, although the staff of the SEC has cast doubt on whether an outside person will have sufficient operational awareness and involvement to be able to adequately administer a compliance program.

2. Are your compliance policies and procedures comprehensive?

Since an adviser’s policies and procedures must be reasonably designed to prevent violation of the Advisers Act and the regulations under the act, they must be comprehensive enough to cover every requirement of the Advisers Act and related regulations that the adviser might violate. The adviser must consider all of the legal requirements that apply to registered advisers, then consider the scope and nature of its own operations, and then generate policies and procedures that apply to its operations in a manner that is reasonably likely to prevent violations.

For more information, please contact:

Ward B. Hinkle 716.848.1281 whinkle@hodgsonruss.com
The Guaranty Building, 140 Pearl Street, Suite 100, Buffalo, New York 14202

Mr. Hinkle concentrates his practice in the areas of federal and state securities laws, including the representation of investment advisers and public and private investment companies. He is available to assist you in your compliance requirements.

Or you may contact one of the other members of the Hodgson Russ Investment Management Practice Group:

Ronald J. Battaglia 716.848.1699 rbattaglia@hodgsonruss.com
The Guaranty Building, 140 Pearl Street, Suite 100, Buffalo, New York 14202

Janet N. Gabel 716.848.1350 jgabel@hodgsonruss.com
The Guaranty Building, 140 Pearl Street, Suite 100, Buffalo, New York 14202

Patricia C. Sandison 716.848.1619 psandison@hodgsonruss.com
The Guaranty Building, 140 Pearl Street, Suite 100, Buffalo, New York 14202

John J. Zak 716.848.1253 jzak@hodgsonruss.com
The Guaranty Building, 140 Pearl Street, Suite 100, Buffalo, New York 14202

This article is protected by copyright. It may be reproduced or translated only if appropriate credit is given to the authors and the copyright holder.

The adviser faces a daunting task in trying to create written policies that cover all of the legal requirements that reasonably affect its operations. The staff of the SEC has identified 10 operational areas that compliance policies must, at a minimum, address (see the resource materials at the end of this article for information concerning the SEC’s areas of concern).

The adviser should identify the extent and nature of its activities within in each of the 10 covered areas and then determine the regulatory constraints on the those specific activities. In order to facilitate the design of a comprehensive program, a well-ordered set of policies and procedures might start with a summary description of the nature of the adviser’s operations. The summary would assist the adviser in considering whether the policies and procedures fit the adviser’s operations and, when changes in the adviser’s operations necessitate changes in the summary, those changes would serve as a trigger for reassessment of policies and procedures. In order to be comprehensive, the written policies and procedures should address all of the regulatory constraints on the adviser’s identified activities.

3. Do your compliance policies and procedures fit the risks of your operations?

The SEC has stressed that the nature of the adviser’s compliance policies and procedures should be determined by a risk-based analysis of the adviser’s operations. A risk assessment involves identifying the aspects of the adviser’s operations that pose meaningful risk of regulatory violation and then quantifying the level of risk based on the likelihood of occurrence and the severity of the violation if there were an occurrence.

The staff of the SEC has suggested that advisers compile an inventory of the risks of their operations in order to consider the manner in which their policies and procedures reduce these risks. Since the purpose is to identify risks that could lead to violations, a good starting place for considering risks is those areas that are the subject of specific regulation — such as advertising, paid referrals, related party transactions, conflicts of interest, order execution services, custody of client securities or funds, personal and proprietary trading, Form ADV filing and disclosure, and investment discretion.

4. Are you performing adequate “annual” reviews of your program?

The program compliance rule requires the adviser to review its compliance program at least annually to asses the adequacy and effectiveness of the program.

In the same manner that the compliance program should fit the operations of the adviser, the review of the compliance program should fit the program. Although reviews are only required on an annual basis, more frequent reviews, whether periodically at the end of shorter time periods or on a rolling basis, may be appropriate if the adviser changes its operations through the introduction of new investment products, personnel, service providers, or manner of doing business. High-risk areas require greater attention for appropriate testing of effectiveness and validation of procedures.

A review of the compliance program should be designed to discover changes in the adviser’s operations, changes in regulatory requirements, and weaknesses in the compliance program that require changes. The review of the program must address not only identifying those aspects of the program that have become deficient, it must also include mechanisms for remedying the deficiencies in the program that are discovered. The review should end after the initiation of appropriate action to make any changes that are required.

5. Is the record keeping for your compliance program appropriate?

Record keeping is one of the more problematic areas for compliance programs. Some elements of a compliance program are the subject of the specific record-keeping requirements of SEC Rule 204-2, but other aspects of an adviser’s operations are subject to judgments concerning the appropriate records to maintain.

The regulatory purpose of the compliance program is to prevent violations. Problems arise for investment advisers when a review detects the possibility that a violation has occurred and, instead of creating appropriate documentation to help prevent similar future occurrences, they create incomplete or ambiguous records about past events that may be used by third parties to assert liability against the adviser. The records of a compliance program should cover only those matters that it is the program’s purpose to cover.

This is not to say an adviser should use its compliance program to hide or excuse past violations. Situations may occur where there have been clear violations that have damaged clients, and the adviser’s duties to its clients as well as its disclosure responsibilities will require actions that may also assist third parties in bringing legal actions against it. Nevertheless, those issues should be addressed in an analysis of the appropriate steps to remedy a past or existing situation that will not be compromised by the existance of unnecessary documentation prepared for other purposes.

Depending on their situations, different advisers have concluded that it is appropriate to keep differing levels of records of their compliance program reviews. Some prepare and maintain formal written reports of the outcomes of their reviews, while others keep short memoranda, work papers, or informal notes. Appropriate subjects for written records of the review process include:

• Records of the scope and outcome of testing — the compliance areas that were tested, the nature of the tests undertaken, and the deficiencies in the compliance program that were discovered;

• Statements of changes in the adviser’s operations and of suggested changes in the compliance program to address the operational changes;

• Statements of changes in the regulations that apply to the adviser and of suggested changes in the compliance program to address the regulatory changes;

• Recommendations to a decision maker (e.g., the CCO or the board of the directors) regarding necessary changes in the compliance program; and

• Revisions made in the compliance program, including tests to be undertaken in future reviews in order to validate the changes made.

The purpose of each of these kinds of records is to assist the adviser in continuing to prevent violations of the Advisers Act. Note that if any of these records is created, the record-keeping rule requires that the record must be maintained for five years and be available for examination by the SEC. The requirement to maintain any records made suggests that care should be exercised in assuring that records made are accurate and contain only information that is appropriate to their purpose.

Some helpful resources
The SEC has not adopted a formal set of guidelines for adviser compliance programs, but it has left a trail of bread crumbs to help advisers through the forest. The trail begins with SEC Release No. IA-2204, which announced the adoption of the compliance program rules. The adopting release identifies 10 issues that a compliance policy should, at a minimum, address if the issues are relevant to operations of the adviser.

The SEC’s areas of concern have been elaborated on by a set of SEC staff advisories that are published on the SEC’s Web site. The staff of the SEC has also proclaimed its enforcement intentions and philosophy through a series of speeches identified in its “CCOutreach Program.”

A partial list of the many SEC statements about compliance programs, including many of the more helpful ones, follows.

The adopting release:
• SEC Release No. IA-2204, Compliance Programs of Investment Companies and Investment Advisers, Advisers Act Release No. 2204, Dec. 17, 2003, available at www.sec.gov/rules/final/ia-2204.htm

Staff advisories:
• Information for Newly Registered Investment Advisers, prepared by the staff of the SEC’s Division of Investment Management and Office of Compliance Inspections and Examinations, modified July 31, 2007, available at www.sec.gov/divisions/investment/advoverview.htm

• Examiner Oversight of “Annual” Reviews Conducted by Advisers and Funds, April 7, 2006 (modified Sept. 15, 2007), available at www.sec.gov/info/cco/adviser_compliance_faq.htm

• ComplianceAlert, June 2007, available at www.sec.gov/about/office/ocie/complialert.com;

• Questions Advisers Should Ask While Establishing or Reviewing Their Compliance Programs, May 2006, available at www.seg.gov/info/cco/adviser_compliance_questions.htm

The CCOutreach Program:
• CCOutreach Program, (Sept. 19, 2007), available at www.sec.gov/info/ccoutreach.htm

• Remarks at the 2006 Securities Law Developments Conference of the Investment Company Institute, by Lori A. Richards, Director, SEC Office of Compliance Inspections and Examinations, December 5, 2006, available at www.sec.gov/news/speech/2006/spch120506iar.htm

• The Process of Compliance, by Lori A. Richards, October 19, 2006, speech at the National Membership Meeting of the National Society of Compliance Professionals, available at www.sec.gov/news/speech/2006/spch/101906lar.htm

• Fiduciary Duty: Return to First Principles, by Lori A. Richards, February 27, 2006, speech at the Eighth Annual Investment Adviser Compliance Summit, Washington, DC, available at www.sec.gov/news/speech/spch022706lar.htm

• SEC Expectations for Regulatory Compliance, by Gene Gohlke, Associate Director, Office of Compliance Inspections and Examinations, November 14, 2005, remarks before the Fund of Funds Forum, New York, NY, available at www.sec.gov/news/speech/spch111405gag.htm

• Better Than “Business as Usual,” by Lori A. Richards, October 25, 2005, remarks before the National Society of Compliance Professionals National Meeting, Washington, DC, available at www.sec.gov/news/speech/spch102605lr.htm

• Compliance: Some Core Principles, by Lori A. Richards, April 20, 2005, speech at the National Regulatory Services’ 20th Annual Spring Compliance/Risk Management Conference, Scottsdale, AZ, available at www.sec.gov/news/speech/spch042005lr.htm

• Compliance Programs: Our Shared Mission, by Lori A. Richards, February 28, 2005, remarks before the Investment Adviser Compliance Best Practices Summit, Washington, DC, available at www.sec.gov/news/speech/spch022805lar.htm

The contents of this article are intended for general informational purposes. The statements made may be inappropriate to your particular circumstances, and they should not be construed as legal advice or an opinion as to any matter. You should consult an attorney for specific advice that you may rely upon as applicable to your situation.

Web design and CMS by Algonquin Studios.