Best Practices for Annual Compliance Reviews

Author:  Jim Obuchi

Under the Advisers Act, Rule 206(4)-7 requires each registered investment adviser (RIA) to conduct an annual review of its policies and procedures to determine their adequacy and the effectiveness of their implementation. The SEC recommends that the review “consider any compliance matters that arose during the previous year, any changes in the business activities of the adviser or its affiliates, and any changes in the Advisers Act or applicable regulations that might suggest a need to revise the policies or procedures.” (It is recommended that state-registered investment advisers conduct a similar annual review, as well.)

“Rule 206(4)-7 – Compliance procedures and practices” reads as follows:

If you are an investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b-3), it shall be unlawful within the meaning of section 206 of the Act (15 U.S.C. 80b-6) for you to provide investment advice to clients unless you:

(a) Policies and procedures. Adopt and implement written policies and procedures reasonably designed to prevent violations, by you and your supervised persons, of the Act and the rules that the Commission has adopted under the Act;

(b) Annual review. Review, no less frequently than annually, the adequacy of the policies and procedures established pursuant to this section and the effectiveness of their implementation; and

(c) Chief compliance officer. Designate an individual (who is a supervised person) responsible for administering the policies and procedures that you adopt under paragraph (a) of this section.

The Chief Compliance Officer (“CCO”) is expected to be knowledgeable regarding applicable securities laws, and should have sufficient seniority and authority to compel others within the firm to adhere to its compliance policies and procedures.  If the CCO has other organizational functions or another role, the firm should be prepared to be asked whether it has identified and managed any potential conflicts of interest. While the CCO is expected to be in charge of the compliance review, the CCO may engage others (such as members of a management committee, internal audit, or an independent audit or consulting firm) to assist with review process. 

In various SEC guidance, SEC staff has recommended that the annual review be an active ongoing process throughout the year. The annual review of the firm’s compliance policies and procedures is be designed to prevent violations of the Advisors Act from occurring, detect violations that have occurred; and promptly correct any violations that have occurred. The intent of an RIA’s overall compliance program should be to identify the firm’s regulatory obligations, mitigate conflicts of interest that could result in harm to clients, and address risks to the firm and its clients. 

In its adopting release of Rule 206(4)-7, the SEC provided a list of “critical areas” (i.e., areas of risk) that the RIA’s compliance manual should address: 

1. Portfolio management processes, including allocation of investment opportunities among clients and consistency of portfolios with clients’ investment objectives, disclosures by the adviser, and applicable regulatory restrictions;

2. Trading practices, including best execution, soft dollar arrangements, and trade allocation;

3. Proprietary trading of the adviser and personal trading activities of its employees and access persons;

4. The accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements;

5. Safeguarding of client assets from conversion or inappropriate use by advisory personnel;

6. The accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction;

7. Marketing advisory services, including the use of solicitors;

8. Processes to value client holdings and assess fees based on those valuations;

9. Safeguards for the privacy protection of client records and information; and

10. The adoption of a business continuity plan.

In addition, pursuant to the SEC’s OCIE Risk Alert guidance, RIAs should implement cybersecurity policies and procedures. Policies and procedures must be tailored to the RIA’s own business, so while a boiler-plate compliance manual may be used by a new RIA as a starting point, it should be customized to address all of the RIA’s business risks. As changes are made, it is important to retain documentation of the revisions to the firm’s policies and procedures. During an examination by the SEC OCIE staff, examiners will typically assess whether the current policies and procedures are designed to detect breaches of the federal securities laws and will determine whether the firm’s policies and procedures have been implemented effectively. Failure to have adequate policies and procedures in place would result in a violation under Section 206(4), independent of any other securities law violation.

There are several steps to determining the adequacy of a firm’s policies and procedures that include:

1. Conducting periodic risk assessments (no less than annually) to identify the firm’s key risks and the controls that are in place to mitigate those risks (be sure to retain an inventory of these risks and to document of any changes, such as new compliance risks identified); 

2. Reviewing the report of the last annual review (e.g., were recommendations from the previous year’s report implemented?);

3. Reviewing the report from the last regulatory examination, and verifying that past deficiencies were properly addressed;

4. Reviewing any significant compliance issues that occurred over the past year, or any business activity or organizational changes to the firm;

5. Conducting transactional testing in higher risk areas of the firm, as well as areas where deficiencies were previously observed; and

6. Ensuring the firm’s policies and procedures address new laws and regulations applicable to the firm’s business, or new areas of focus by the SEC (or by other appropriate regulatory agencies).

A formal written report should be drafted at the conclusion of the annual review, which should include:

• A description of the firm’s business, its services, clients and AUM (as persons outside the firm may read this report); 
• Who conducted the review, and the extent to which business line staff (operations and management personnel) were involved;
• What was reviewed (i.e., listings of the policies, procedures, business functions, transactions, materials, etc.), and why (e.g., based on the annual risk assessment);
• How the review was conducted (e.g., interviews with staff, exception reports, transaction testing, ongoing monitoring, and confirmation of reviews of policies and procedures by business line managers);
• When the reviews were conducted, including the activity timeframe;
• The results/findings from the reviews (and the status of any corrective action taken or to be taken), particularly highlights of any significant exceptions or trends identified; and
• A conclusion on whether the firm’s compliance policies and procedures are adequate and effective, along with any recommendations for senior management.

If the firm has a governing board, it is a best practice to present the final report at a board meeting, as well. Lastly, it is important to remember that records documenting the annual review need to be retained for five years.

This article does not in any way create an attorney-client relationship. This article should not be seen as legal advice. You should consult with an attorney before you rely on this information.