Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News March 19, 2012 Issue

Conquering the Annual Review

Itís a must for every adviser. But like fingerprints and snowflakes, no two will ever be alike Ė even for the same adviser from year to year.

The annual review required by Rule 206(4)-7 requires advisers to conduct an annual review of the adequacy of the firmís policies and procedures and the effectiveness of their implementation. Just how that requirement becomes reality, as well as some tips to smooth the way, was the topic for discussion by a panel of experts at the recent IA Watch Compliance Best Practices Summit in Washington, DC.

Put it in writing.

No securities law or rule requires the adviserís annual review to be in writing.

However, it is a common (and best) practice to write up the annual review, often as a report for the adviserís board of directors. Advisers to mutual funds often reduce their annual review to writing for practical purposes. Industry surveys indicate that as of the end of 2010, almost two-thirds of mutual fund adviser CCOs also served as the fundís CCO. Because the fund CCO must submit a written annual report to the fundís board, as a practical matter the adviserís CCO creates a written report of the annual review.

The SECís view is that if the annual review is not in writing, it did not happen, said Matthews International Capital Management CCO Tito Pombra. If the annual review is not reduced to some form of writing, it is his understanding that the SEC will write that up as a deficiency, he said.

Memorializing the annual review in writing is important. "The review validates what you do during your compliance year," said Pombra.

ProFunds Advisors counsel/CCO Victor Frye does commit his firmís review to writing, but only in the form of a checklist that memorializes the areas examined each year. Fryeís firm, due to the nature of its business and the fact that all of its clients are mutual funds, does not provide a separate written report of the adviser. "For us it is not necessary to create a report, although we do require evidence our work and a frame of reference for future reviews as well," he said.

The "annual" review is a bit of a misnomer.

Review and testing of compliance policies and procedures should be memorialized no less frequently than annually, although it really is a process that should be ongoing throughout the year, said Frye. Allegheny Investments CCO/GC Aimee Toth agreed. To think you can do it once a year is a "farce of a thing," she said. Pombra noted that former OCIE associate director Gene Gohlke once said the annual review is not a December 25th exercise. It is critical to understand this is a year-round process, said Pombra.

Things are evolving, and the annual review process is becoming more challenging, said Frye. Look at the new CFTC derivatives releases, for example. The CFTC is requiring far more detail for recordkeeping compliance than Advisers Act requirements. Donít be surprised if that higher standard becomes the norm, he said.

It means that instead of merely retaining the confirmation statement for a transaction, advisers must also retain an email confirming the transaction if it contains additional information not found on the confirmation statement. Suitability, which is a big broker-dealer issue, is migrating over to the advisory side as well. Identity theft issues are also challenging. Whenever an adviser possesses or has access to consumer or client information such as social security numbers or mailing list information, you need to take reasonable measures to protect that information and memorialize how you do it, said Frye.

When someone at your firm is critical of a policy or procedure, engage them in a dialog on how to improve it, said Toth. Get them to think about how to do it better or easier or in a way thatís more pleasant for everyone. It turns critics into advocates, she said.

Toth also recommended that all participants in the review get a packet of relevant information and provide feedback on the review. Get the traders involved, for example, she said. Interesting ideas can come forward. It gets you out of the mindset of "weíve always done it this way" to "why canít we do it that way?" It has been a positive exercise for her company, she said.

Toth produces a written report that is typically 25-30 pages long. The report is delivered to each board member, who is required to acknowledge receipt of the report in writing, and also to acknowledge that they have reviewed the report and have no questions, or received satisfactory answers to any questions. It is good protection for the firm, said Toth, and prevents the board from saying "why didnít you tell us about this?" down the road.

Pombra said that his firm doesnít require acknowledgments, it relies on board minutes to memorialize the boardís receipt and consideration of the annual review. The adviser has a board and the funds have a board, each of which evaluates the review. The minutes of the board meetings must then also be reviewed and approved by the board, he said.

Do you name names in an annual review?

"It gets more focus from people when you produce a report with their name in it," said NISA Investment Advisors CCO Marianne OíDoherty. It gets their attention and gets them to resolve any issues more quickly. You also donít want the person or persons named to find out about an issue through the report. As issues arise you should be discussing them with the appropriate personnel and it should be no surprise to them when the report is ultimately distributed.

Thatís right, said Pombra. CCOs are not supervisors. In his firm, the compliance group meets with all business unit heads and presents them with the findings for their business unit.

CCOs should switch it up a little each year too, said Frye. You canít be repeating the same tests all the time. Focus on current risks, business changes, and neglected areas or practices, for example. One year we focused on cash management practices, he said. This year, his firmís focus will be on futures trading and the use of derivatives.

As part of her process, Toth reviews her most recent annual report on a quarterly basis and follows up on various items as appropriate. It can be as simple as forwarding a message to someone that says "I see [x] noted, please provide us with an update on what youíve done in response." It creates a good record, shows youíre on top of things, and that the report of the annual review is a living document, she said.

One big mistake Frye sees in managing the annual review process is placing reliance on third party reports. Those reports are typically tailored to a wider audience, he said.

You have to drill down to understand the quality and applicability of the report. Ask the sampling size, for example. Did the custodian look at 20 accounts out of 40,000? Were any of the 20 accounts from your firm? No? Be leery of circumstances like that because you really canít rely on those results, said Frye.

Types of testing theyíve done or plan to do.

Good "tried and true" tests include:

  • Analysis of circumstances surrounding the top ten/bottom ten performers;
  • Risk-prioritized testing (example: valuation is a significant risk to a foreign money manager);
  • Trade allocation reviews;
  • Commission checks (double-check top brokers to ensure there is no undue influence or reward);
  • Review conflicts whenever the firm experiences change Ė change in principals, change in service providers, etc. Ė so that any conflicts of interest can be addressed and disclosed appropriately.

Cyber security issues require not only testing, but training as well, said Toth. She does hers in connection with the firmís anti-money laundering training.

It used to be that the big fraud was the Nigerian investor that would approach the firm through an email, but fraudsters are much more sophisticated now, she said. Cyber security issues can run the gamut from passwords stuck on computers with sticky notes to fraudsters trying to impersonate clients. This happened at her firm, but a sharp administrative assistant was suspicious that the client didnít sound quite like the voice he was used to hearing. By asking a simple screening question about the clientís family, he was able to thwart the would-be fraudster.

Toth noted that FINRA Notice 12-05 released earlier this year contains helpful information on verifying emailed instructions from clients.

Do a test production from your current books and records, said OíDoherty. The SECís standard document request related to books and records is on the SEC web site. Choose an item from the list and send it to the person in your firm responsible for that area, she said. Ask them to pull the information together and send it to you. Review what you get and check it to ensure it is complete.

If a risk or a test is not important or relevant to your firmís business, note it and say why it is not important, said OíDoherty. "I believe some of what you get credit for is recognizing and spotting issues," she said. You donít ever want to be in a position for the SEC to say "why isnít it important to you?" You have to be able to articulate the "why." It shows that you knew enough to ask the question, it just didnít apply to you.

And remember, your supporting documents from testing are part of your required books and records, she said.

Sometimes the best test can be simply listening, said Frye. Ask an open question such as "walk me through your daily process," or "what about the fixed income desk, do they do it this way, too?" It can be a way to learn if you have a procedure no one is following Ė or understands Ė or perhaps that you need to update your policies and procedures to reflect the practice. Write a quick memo to the file or send yourself an email about the encounter to document it as part of your testing records.

The number one most important thing is writing it down, said OíDoherty. The first part of her report of the annual review summarizes what she did, who she met with, etc. She would never give the whole report or the results of her annual review to clients or in response to a due diligence request, but she is happy to provide the summary information about her process. Yes, it may end up as a roadmap for the SEC in an examination, she said, but she views that positively.

The summary and the results are also a roadmap for the board, said Pombra. "The report of your annual review is your scorecard to get your bonus," he said.

The charge of the day is to have written policies and procedures and to test your compliance program no less frequently than annually, said Frye. If you accomplish those things, even if the SEC takes issue with some aspects of your program, you canít have a core deficiency, he said.

Parting wisdom.

As the panel concluded, each CCO offered a takeaway tip for the annual review process.

When conducting interviews to learn how well policies and procedures are understood, talk to the department head and also to junior personnel, too, said Toth. Also, using an assistant to conduct the interviews can make them less intimidating and possibly produce more or better information.

Donít stop with half the facts, said Frye. When a criticism is raised, for example, keep digging for more or other information until youíre satisfied you have the complete picture.

Reassess your risks every year, said OíDoherty. We start with our risk matrix, and on a scale of one through four, we score both the risk and the mechanism to mitigate the risk. Youíd be surprised how some things can change from year to year.

The bare minimum every CCO should do, said Pombra, is to take the SECís sample document request list and conduct a mock audit.