How to Design Investment Advisor Compliance Programs
Five questions for investment advisors and some helpful resources
Registered investment advisors are required to adopt and implement internal control procedures to prevent their firms and their supervised persons from violating any of the provisions of the Investment Advisors Act (the Advisors Act). The broad requirement to act affirmatively to prevent all violations is a Pandora’s box of uncertainty for investment advisors as they consider how to fashion meaningful compliance programs.
The compliance program rule, Securities and Exchange Commission Rule 206(4)-7, is relatively simple but broadly encompassing. A registered investment advisor must:
• Adopt and implement written policies and internal control procedures reasonably designed to prevent violation of the Advisors Act and of the rules of the SEC under the Advisors Act by the advisor and its supervised persons;
• Designate a chief compliance officer (CCO) with responsibility for administering the policies and procedures; and
• Review, at least annually, the adequacy of the policies and procedures and the effectiveness of their implementation.
Although the requirement to have a compliance program is simple and straightforward, the rule leaves open the question of how the advisor should go about “reasonably designing” a compliance program.
Requirements for the content of advisor compliance programs are not specified in the compliance program rule, or in any other SEC rules. The premise of the rule is that each advisor must take the general requirement — to adopt policies and procedures that are reasonably designed to prevent violations of the Advisors Act and related rules and regulations — and fashion its own written compliance program with terms that are tailored to the specific nature of its own operations. In other words, one size does not fit all; all must fashion programs suited to their own individual sizes and shapes.
By working through the answers to the following five questions, a registered investment advisor can develop a compliance program that meets the regulatory requirements.
1. Is your CCO able to administer your compliance program?
The compliance program rule requires advisors to designate a CCO who is responsible for administering its compliance policies and procedures. From an organizational and personal standpoint, the CCO has responsibility for making the compliance policies and procedures work, so it makes sense for an advisor to start by considering what the qualifications for its CCO should be and who can best fill that role. SEC guidance provides that the CCO should be competent and knowledgeable about the Advisors Act and should have full authority to develop and enforce appropriate policies and procedures.
In order to properly administer the program, the CCO will need to:
• Be fully aware of the advisor’s operations;
• Run the compliance program and verify that its provisions are being enforced;
• Seek out information concerning ongoing regulatory changes under the Advisors Act; and
• Propose and seek the adoption of changes in the program from time to time in order to assure that the program will continue to provide reasonable assurance of compliance with the rules and regulations under the Advisors Act.
In large organizations with complex operations, the CCO may need to be a full-time dedicated individual with appropriate staff support. In small advisory firms, the CCO may wear several other hats. Some firms may choose to outsource the CCO function, although the staff of the SEC has cast doubt on whether an outside person will have sufficient operational awareness and involvement to be able to adequately administer a compliance program.
2. Are your compliance policies and procedures comprehensive?
Since an advisor’s policies and procedures must be reasonably designed to prevent violation of the Advisors Act and the regulations under the act, they must be comprehensive enough to cover every requirement of the Advisors Act and related regulations that the advisor might violate. The advisor must consider all of the legal requirements that apply to registered advisors, then consider the scope and nature of its own operations, and then generate policies and procedures that apply to its operations in a manner that is reasonably likely to prevent violations.
The advisor faces a daunting task in trying to create written policies that cover all of the legal requirements that reasonably affect its operations. The staff of the SEC has identified 10 operational areas that compliance policies must, at a minimum, address (see the resource materials at the end of this article for information concerning the SEC’s areas of concern).
The advisor should identify the extent and nature of its activities within in each of the 10 covered areas and then determine the regulatory constraints on the those specific activities. In order to facilitate the design of a comprehensive program, a well-ordered set of policies and procedures might start with a summary description of the nature of the advisor’s operations. The summary would assist the advisor in considering whether the policies and procedures fit the advisor’s operations and, when changes in the advisor’s operations necessitate changes in the summary, those changes would serve as a trigger for reassessment of policies and procedures. In order to be comprehensive, the written policies and procedures should address all of the regulatory constraints on the advisor’s identified activities.
3. Do your compliance policies and procedures fit the risks of your operations?
The SEC has stressed that the nature of the advisor’s compliance policies and procedures should be determined by a risk-based analysis of the advisor’s operations. A risk assessment involves identifying the aspects of the advisor’s operations that pose meaningful risk of regulatory violation and then quantifying the level of risk based on the likelihood of occurrence and the severity of the violation if there were an occurrence.
The staff of the SEC has suggested that advisors compile an inventory of the risks of their operations in order to consider the manner in which their policies and procedures reduce these risks. Since the purpose is to identify risks that could lead to violations, a good starting place for considering risks is those areas that are the subject of specific regulation — such as advertising, paid referrals, related party transactions, conflicts of interest, order execution services, custody of client securities or funds, personal and proprietary trading, Form ADV filing and disclosure, and investment discretion.
4. Are you performing adequate “annual” reviews of your program?
The program compliance rule requires the advisor to review its compliance program at least annually to asses the adequacy and effectiveness of the program.
In the same manner that the compliance program should fit the operations of the advisor, the review of the compliance program should fit the program. Although reviews are only required on an annual basis, more frequent reviews, whether periodically at the end of shorter time periods or on a rolling basis, may be appropriate if the advisor changes its operations through the introduction of new investment products, personnel, service providers, or manner of doing business. High-risk areas require greater attention for appropriate testing of effectiveness and validation of procedures.
A review of the compliance program should be designed to discover changes in the advisor’s operations, changes in regulatory requirements, and weaknesses in the compliance program that require changes. The review of the program must address not only identifying those aspects of the program that have become deficient, it must also include mechanisms for remedying the deficiencies in the program that are discovered. The review should end after the initiation of appropriate action to make any changes that are required.
5. Is the record keeping for your compliance program appropriate?
Record keeping is one of the more problematic areas for compliance programs. Some elements of a compliance program are the subject of the specific record-keeping requirements of SEC Rule 204-2, but other aspects of an advisor’s operations are subject to judgments concerning the appropriate records to maintain.
The regulatory purpose of the compliance program is to prevent violations. Problems arise for investment advisors when a review detects the possibility that a violation has occurred and, instead of creating appropriate documentation to help prevent similar future occurrences, they create incomplete or ambiguous records about past events that may be used by third parties to assert liability against the advisor. The records of a compliance program should cover only those matters that it is the program’s purpose to cover.
This is not to say an advisor should use its compliance program to hide or excuse past violations. Situations may occur where there have been clear violations that have damaged clients, and the advisor’s duties to its clients as well as its disclosure responsibilities will require actions that may also assist third parties in bringing legal actions against it. Nevertheless, those issues should be addressed in an analysis of the appropriate steps to remedy a past or existing situation that will not be compromised by the existance of unnecessary documentation prepared for other purposes.
Depending on their situations, different advisors have concluded that it is appropriate to keep differing levels of records of their compliance program reviews. Some prepare and maintain formal written reports of the outcomes of their reviews, while others keep short memoranda, work papers, or informal notes. Appropriate subjects for written records of the review process include:
• Records of the scope and outcome of testing — the compliance areas that were tested, the nature of the tests undertaken, and the deficiencies in the compliance program that were discovered;
• Statements of changes in the advisor’s operations and of suggested changes in the compliance program to address the operational changes;
• Statements of changes in the regulations that apply to the advisor and of suggested changes in the compliance program to address the regulatory changes;
• Recommendations to a decision maker (e.g., the CCO or the board of the directors) regarding necessary changes in the compliance program; and
• Revisions made in the compliance program, including tests to be undertaken in future reviews in order to validate the changes made.
The purpose of each of these kinds of records is to assist the advisor in continuing to prevent violations of the Advisors Act. Note that if any of these records is created, the record-keeping rule requires that the record must be maintained for five years and be available for examination by the SEC. The requirement to maintain any records made suggests that care should be exercised in assuring that records made are accurate and contain only information that is appropriate to their purpose.
Some helpful resources
The SEC has not adopted a formal set of guidelines for advisor compliance programs, but it has left a trail of bread crumbs to help advisors through the forest. The trail begins with SEC Release No. IA-2204, which announced the adoption of the compliance program rules. The adopting release identifies 10 issues that a compliance policy should, at a minimum, address if the issues are relevant to operations of the advisor.
The SEC’s areas of concern have been elaborated on by a set of SEC staff advisories that are published on the SEC’s Web site. The staff of the SEC has also proclaimed its enforcement intentions and philosophy through a series of speeches identified in its “CCOutreach Program.”
A partial list of the many SEC statements about compliance programs, including many of the more helpful ones, follows.
The adopting release:
• SEC Release No. IA-2204, Compliance Programs of Investment Companies and Investment Advisors, Advisors Act Release No. 2204, Dec. 17, 2003, available at www.sec.gov/rules/final/ia-2204.htm
Staff advisories:
• Information for Newly Registered Investment Advisors, prepared by the staff of the SEC’s Division of Investment Management and Office of Compliance Inspections and Examinations, modified July 31, 2007, available at www.sec.gov/divisions/investment/advoverview.htm
The CCOutreach Program:
• CCOutreach Program, (Sept. 19, 2007), available at www.sec.gov/info/ccoutreach.htm
• Fiduciary Duty: Return to First Principles, by Lori A. Richards, February 27, 2006, speech at the Eighth Annual Investment Advisor Compliance Summit, Washington, DC, available at www.sec.gov/news/speech/spch022706lar.htm
• SEC Expectations for Regulatory Compliance, by Gene Gohlke, Associate Director, Office of Compliance Inspections and Examinations, November 14, 2005, remarks before the Fund of Funds Forum, New York, NY, available at www.sec.gov/news/speech/spch111405gag.htm
• Better Than “Business as Usual,” by Lori A. Richards, October 25, 2005, remarks before the National Society of Compliance Professionals National Meeting, Washington, DC, available at www.sec.gov/news/speech/spch102605lr.htm
• Compliance: Some Core Principles, by Lori A. Richards, April 20, 2005, speech at the National Regulatory Services’ 20th Annual Spring Compliance/Risk Management Conference, Scottsdale, AZ, available at www.sec.gov/news/speech/spch042005lr.htm
• Compliance Programs: Our Shared Mission, by Lori A. Richards, February 28, 2005, remarks before the Investment Advisor Compliance Best Practices Summit, Washington, DC, available at www.sec.gov/news/speech/spch022805lar.htm
The contents of this article are intended for general informational purposes. The statements made may be inappropriate to your particular circumstances, and they should not be construed as legal advice or an opinion as to any matter. You should consult an attorney for specific advice that you may rely upon as applicable to your situation.