Lessons Learned From OCIE’s Inspections of Investment Adviser Compliance Programs

The Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on November 19, 2020 related to the Advisers Act compliance rule, Rule 206(4)-7. Some key takeaways for Chief Compliance Officers (CCOs) are as follows:

CCOs must be nimble and respond to changes in the business. The rule calls for annual compliance reviews, but when things go wrong, or the adviser’s business arrangements or risk profile changes, CCOs should assess whether an interim review is necessary or advisable, and act accordingly.

CCOs should have authority within their firm and act with authority. OCIE observes that CCOs should have sufficient knowledge, authority and seniority to compel others to comply. OCIE’s list of deficiencies include the following:

A CCO that is a “Jack of All Trades,” may be the master of none. A CCO who has too many roles within the firm, and lacks the time and resources to become an expert in the Advisers Act, and cannot devote sufficient time to overseeing and administering the compliance program, is a CCO that should reconsider the priority of the CCO’s compliance functions.
Insufficient compliance resources leave a CCO in a vulnerable position. OCIE observed firms where inadequate resources were provided, which resulted in the CCO being unable to assure adequate staff training, conduct appropriate annual reviews, ensure accurate disclosure in the firm’s Form ADV, and properly maintain of the firm’s books and records.
A CCO that is not kept abreast of significant developments at the firm is operating “in the dark” to the firm’s detriment. OCIE observed firms where CCOs were not informed by senior management when compliance breaches arose, or when events were occurring that might significantly impact the firm’s risk profile. CCOs in this position are not sufficiently informed to be fully effective.

Doing what you can, but not fully complying with the requirements of the rule, may not be enough. OCIE observed deficiencies in the effectiveness of annual compliance reviews, such as compliance reviews that: were not well documented, failed to identify key risk areas (particularly conflicts of interest and asset protection), overlooked key areas for compliance, such as oversight of third party managers, cybersecurity, fee calculations and expense allocations. CCOs need to ensure that the compliance program is carried out as intended, and not settle for inadequate compliance measures.

If it’s in your manual, OCIE will inspect for it. OCIE zeroed in on staff training; procedural implementation regarding conflicts of interest; advertising reviews taking place uniformly; following and using your checklists; back testing fee calculations by compliance; testing continuity plans; and reviewing client accounts for compliance with investment objectives on a systematic basis. CCOs need to ensure that all material risks are identify in the compliance manual, and then ensure that all items in the compliance manual are carried into effect, as intended.

Off the shelf policies are an OCIE red flag. OCIE is looking for up to date, firm specific, tailored compliance programs. An off the shelf compliance program that is not properly tailored puts the firm at risk of compliance violations and deficiencies. A reasonably designed compliance program needs to address the specific risks of the firm.

OCIE’s 27 Hot Topics. OCIE is looking at the following areas:

Due diligence and oversight of outside managers.
Monitoring compliance with client investment and tax planning strategies.
Oversight of third-party service providers.
Due diligence and oversight of investments, including alternative assets.
Oversight of branch offices and investment advisory representatives to ensure they are complying with the adviser’s policies and procedures.
Compliance with regulatory and client investment restrictions.
Adherence with investment advisory agreements.
Oversight of solicitation arrangements.
Prevention of the use of misleading marketing presentations, including on websites.
Oversight of the use and accuracy of performance advertising.
Allocation of soft dollars.
Best execution.
Trade errors.
Restricted Securities.
Accuracy of disclosure in Form ADV.
Accuracy of client communications.
Fee billing processes, including how fees are calculated, tested, or monitored for accuracy.
Expense reimbursement policies and procedures.
Valuation of advisory client assets.
Regulation S-P.
Regulation S-ID.
Physical security of client information.
Electronic security of client information, including encryption policies.
General cybersecurity, including access rights and controls, data loss prevention, penetration testing and/or vulnerability scans, vendor management, employee training or incident response plans.
Custody rule.
Maintenance of books and records.
Business Continuity Plans.

Conclusion: Compliance is a process, and not an event. It is a process that can and should adapt with the firm, as the firm grows and changes. CCOs should also remember that details matter, both to properly manage the firm’s risks, and because OCIE will review the details with care in assessing the adequacy of the firm’s compliance program.

See full alert here.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.