Preparing For Your Next SEC Examination
The best tip for surviving an SEC examination?
Prepare for it in advance.
According to Adviser Compliance Associates principal consultant Daniel Smith (up until last year an SEC examiner himself), the outcome of your exam will depend "much more" on your pre-exam preparation than on how you and your colleagues actually conduct yourselves during the exam. In the old days, noted Smith, firms would "just sort of do their thing and wait for the SEC exam to tell them what they needed to be doing." Now, he said, firms need to take "a much more proactive stance."
Pickard and Djinis partner Mari-Anne Pisarri agreed. Advisers, she said, should take an active approach to preparing for exams, rather than adopting the attitude of "let them come in and find things."
Hereís what you can do before and during your exam to help ensure that things go as smoothly as possible.
Build a compliance program that you can be proud of. Obviously, the best preparation for an SEC exam is to build a strong culture of compliance within your firm, as demonstrated by practical, "living and breathing" policies and procedures. Do a risk assessment. Identify your conflicts of interest. If you walk the compliance walk during your day-to-day operations, it will be easy to talk the compliance talk during an SEC exam.
To that end, examiners like to see tailored procedures. "It will be immediately obvious to them whether your policies make sense for your business or whether theyíre just something you bought and changed the names on," noted Smith. Off-the-shelf, boilerplate procedures, he said, raise a red flag.
Make sure all employees in your firm understand how compliance affects the specific area that they work in and that they respect the need to abide by the firmís policies and procedures. Conduct additional training on this point, if necessary. During interviews, said Smith, SEC examiners will evaluate the extent to which employees are aware of their compliance responsibilities. Examiners will want to see that "thereís no star portfolio managers that run their own show apart from compliance," said Smith. For example, if a portfolio manager submits his personal trading reports three weeks late every single quarter for eight straight quarters, "the SEC doesnít like that."
Get your documents in order. If your records are in order, it gives the impression that everything else in your firm is order, too. "Having your records in an organized format where you can get your hands on them quickly . . . goes as far as anything in convincing the examiners that youíve got your act together," said Wilmer Cutler Pickering Hale & Dorr partner James Anderson. "I think it sends the right message." Anderson noted that examiners frequently will ask for a tour of a firmís facility and ask to see where the records are physically stored.
Do what-if scenarios using recent SEC examination document request lists. Take a look at a recent OCIE request list. Can you produce the requested documents in the format requested? In particular, test e-mail retrieval ó can you pull up all e-mails sent to and from particular individuals during particular time frames? Smith noted that examiners rarely ask for all e-mails for the entire exam period anymore. Instead, requests typically identify specific individuals and specific time periods (for example, all e-mails to and from the firmís CEO for the second quarter of 2004).
Similarly, test whether you could produce trade blotter information in an Excel spreadsheet containing the specific fields listed in the document request list (identifying information such as trade date, CUSIP number, commission in cents per share, etc.). Similarly, test whether you can produce a client list in an Excel spreadsheet listing the SECís specified fields (name, custodian, current account balance, etc.).
Consider whether your firm should be tracking certain types of information in centralized logs in anticipation of SEC requests. For example, the SECís typical exam request list asks for lists of errors, complaints, and litigation or threatened litigation during the exam period. Itís a good idea to track these in one place.
Lastly, consider how you would answer the thornier questions on the list, such as the ones dealing with CCO resources and significant compliance breaches. If you donít like the answers you would have to provide, take action now to enable your firm to comfortably answer the questions when the time comes.
Find out what the SEC will find out about your firm. Examiners will try to learn as much as possible about your firm before the exam. Put yourself in their shoes and see what you dig up about your own firm. Googleô your firmís name and the names of your firmís top executives. Pull your ADV and read through it as if you were an examiner. Print out and review all pages of your website. Is there is anything there that would give examiners pause? Change it now.
Make sure that your firm has been living up to its promises. Review your firmís past deficiency letters and responses to those letters. Double check that your firm has remedied past deficiencies and has abided by its representations to the staff in any deficiency letter responses. Similarly, pull any no-action relief or exemptive relief that your firm has obtained from the SEC, staff, or other regulators, and confirm that your firm is abiding by the conditions of the relief (if the relief still is being relied upon).
Think ahead. To the extent possible, try to anticipate the next big exam focus. For example, Anderson noted that in the next six months or so, CCOs will be conducting their annual reviews. "I expect that that will be very much a focus of the examination process," he said. "What did the compliance officer do and how is that documented and what were the results? I really think itís time for people to start thinking very seriously . . . about how they are going to conduct those reviews and document findings," he said, adding that "those are difficult questions."
Have an action plan in place for E-Day. Chances are that when the SEC shows up, it will not be a surprise. These days, OCIE is conducting exams "overwhelmingly on notice," said Adviser Compliance Associates partner Barry Schwartz. "In fact, I canít tell you the last time I saw a surprise exam, other than for cause. Itís been at least a year." Even first-time examinations have been on notice, he said. Firms typically get a document request list three days to a week in advance.
If the examiners do show up unannounced, does that mean youíre facing a cause exam? SEC examiners "never" tell firms whether an exam is for cause or routine, said Schwartz. "They donít even tell you afterwards." However, he added, "if you take a look at the request list, you can very easily read the tea leaves and figure out why they are there."
In any event, plan ahead: Instruct all firm receptionists what to do if SEC examiners show up unannounced on your firmís doorstep. Typically, receptionists should be instructed to notify your firmís CCO, or if the CCO is out of the office, another senior executive (perhaps the firmís COO or CEO). Of course, the CCO should be notified as soon as possible.
Decide ahead of time where you will house examiners during their stay. While you donít want to put examiners in a closet, you donít necessarily need to set them up in the firmís main conference room if you have another work space available. The key is to provide them with a comfortable work space, ideally one that is close to the compliance department and free from distractions.
Determine how your firmís employees will be notified that SEC examiners are on site (and, for larger shops, which of your firmís employees will be notified). If you plan to notify employees by e-mail, you might want to draft the e-mail ahead of time (heaven forbid you dash off a panicked e-mail along the lines of "Ye gads! The SEC is coming! Just smile and act normal, and donít mention anything about you-know-what.")
Remember: the e-mails you send out discussing your SEC exam will likely be read by the examiners themselves (although OCIE is no longer routinely requesting e-mails to and from firm CCOs, as OCIE general counsel John Walsh stated in speeches earlier this year). Having said that, it would be entirely appropriate to circulate an e-mail to all employees as follows: "As some of you may know, SEC examiners are visiting our firm to conduct an onsite examination. The examiners are working out of Conference Room X. We expect them to remain at our firm through the end of the week, if not longer. To help us better manage the requests we are getting from the SEC examiners and in order to ensure we are fully responsive to their requests, please wait until someone from the Compliance Department is present before speaking with the examiners. We ask that all employees be courteous to the SEC examiners and expect all employees to answer any questions asked with 100 percent honesty. If you have any questions about the SEC examination, please contact Joe in Compliance."
Be nice. "First impressions matter," Smith said. From the very beginning of the exam, examiners are going to be calculating how long they are going to be on-site, he said. From the get-go, youíll want to do everything you can to assure them that everythingís okay and that they can keep their visit relatively short. To that end, warned Smith, do not give SEC examiners an icy reception. "Be courteous, set an open and honest tone," he said.
Pisarri agreed. "If you immediately set a bad tone" with examiners, "you are never going to dig yourself out of the hole." (For an idea of what not to do, read the 2003 SEC opinion against Alfred Barr, who allegedly got so fed up with the SEC examiners he kicked them out. In return, the SEC kicked Barr out of the adviser industry.)
Even if you dazzle the examiners, expect them to stay for at least three to five days. "Thatís about as short as I see them go now," said Schwartz. Larger firms may find the examiners camped out for weeks on end.
But not too nice. Pisarri cautioned that the "hardest thing" in dealing with an SEC exam is finding "the right balance between being helpful and polite and tying yourself to the railroad tracks." Finding the midway point, she said, "is an art, not a science." She noted that the industry has been urged to build a culture of compliance, with CCOs exhibiting professional skepticism and viewing themselves as partners with OCIE. As a result, she said, "I worry that advisers are going to feel that they are obligated to tie themselves to the tracks," she said.
And, of course, donít make offers to buy the examiners lunch, provide them your corporate rate at a hotel, or offer them a ride home via your firmís car service. "Itís pretty well known in the industry that they arenít going to take it," said Kimberly Hill, a principal consultant at Adviser Compliance Associates. "Anything beyond coffee could look suspicious." Examiners, she noted, have even been known to refuse birthday cake leftover from office parties.
Be squeaky clean during the exam. Once the SEC examiners are on sight, there can be no monkey business ó no instructing employees to tamper with data or delete records (again, for an idea of what not to do, read the recent ALJ opinion kicking Schield Management Company founder Marshall Schield out of the advisory industry after he allegedly destroyed documents during an SEC exam)
Among other things, that means no instructing employees to quickly delete personally embarrassing e-mails. While firms have no obligation to maintain personal e-mails and can adopt a policy of systematically sifting through and deleting personal e-mails on an ongoing basis, the time to launch that policy is not during your SEC exam. "You donít wait until the SEC is coming in to delete embarrassing e-mails," said Pisarri. "As a practical matter, thereís no way to deal with it when the SEC is there." Moreover, if your approach to e-mails is to "save everything," she added, "optically, you donít want to be in a position of deleting e-mails when the SEC comes in."
On that same score, firms that routinely destroy documents as part of their regular records management process might want to consider temporarily suspending that process while examiners are on site. Consider, for example, the optics of having a wholesale shredding operation running in the background while examiners are onsite. That, said Schwartz, can convey a "worse perception to employees than to the examiners."
Designate a contact person. Itís a good idea to tell examiners that all information requests must flow through one designated contact person. According to Smith, SEC examiners "are very used to seeing that kind of arrangement."
In most cases, the contact person will be the firmís CCO. "The CCO has got to be front and center" during the SEC exams, noted Pisarri.
The contact person should be responsible for coordinating the production of requested documents, including copying, any review by in-house personnel or outside counsel prior to production, and any Bates stamping.
Smith suggested that the contact person touch base with the staff at least twice a day. "If the SEC examiners donít see that person for a long period of time, they start wondering," he said. "Make sure they are happy [and that] they are getting what they want."
Show them the big picture. Typically, at the beginning of an exam, examiners ask to meet with a member of senior management to obtain an overall view of the firmís organization, business, controls, and compliance culture. Particularly if your firm has a unique business model or is in a niche business, use this overview as an opportunity to help head off irrelevant requests. Smith noted that SEC examiners visit a broad spectrum of firms. "The examiner you get might not have been at a lot of firms like yours," he said. "Being able to explain to them how your business works at the beginning really saves a lot of time."
One way to provide an overview: use (or modify) a PowerPoint presentation used for prospective clients. Also, consider whether to invite the examiners to stroll through your firmís offices for a tour (chaperoned, of course, by the CCO).
Let the information flow. OCIEís typical examination list asks for upwards of eighty documents. But donít be overwhelmed: Some documents will be requested up front; other documents are to be made available on request. And many firms will find that a significant number of items do not apply to them. Moreover, examiners often will sample records "as opposed to just getting all of them," said Smith. For example, the examiners may ask for a couple of quartersí worth of personal trading reports, or only a handful of client files.
When producing documents, you want to come out of the gate strong: the more documents you are able to provide on the first day of the examination, the better your controls look right off the bat. Of course, if examiners have provided a document request list in advance, they expect you to ready documents for their review ahead of time. (Pisarri said that she likes to organize documents in binders, with tabs, for the examiners.)
Youíll want to keep the documents coming: idle time is the examinerís playground. A steady flow of documents, said Smith, "will keep them busy."
Before handing documents over to the examiners, however, they should be double-checked for completeness and photocopied. The firm should retain a master set of documents provided to the staff.
Itís a good idea to ask examiners to put all substantive requests in writing. "Thereís no reason not to," said Schwartz. "The examiners are happy to do it." He noted that having examiners requests in writing helps manage the exam workpapers. An adviser can see what was handed over pursuant to the SECís initial document request list, and what was handed over pursuant to subsequent requests made during the course of the exam. Having that information, said Schwartz, can be helpful "if a question ever arose about what you gave to someone and why."
Schwartz noted that the SECís document request list, on its face, specifies that copies of the requested documents should be provided. "In every opportunity where you can provide copies to the SEC, as opposed to providing originals, you should do so," explained Schwartz, who noted that firms should make and keep a master set of copies of all copies given to the examiners. Electronic records should be "copied" either by providing the data on a CD or by printing out the record, as appropriate.
However, it may not make sense to copy some types of documents, such as client files or research files. "You donít want to copy everything that is jammed in client files," nor do you want to be copying "drawers and drawers of research," said Schwartz. "I donít think thatís practical." In those instances, tell the examiners that they are reviewing originals, and ask them to identify any specific materials that they would like copied.
What about Bates stamping (1 of 456, 2 of 456, etc.)? Unless you are doing it because you are requesting FOIA protection (which technically may not be necessary, see Advisers Act Section 210(b) ), it may be more trouble than itís worth. "I typically recommend against that," said Smith. "It sort of slows the process down." While Bates stamping may be useful if an enforcement proceeding is expected, he said, "I just donít think itís necessary in the examination context."
Any pre-production review process, whether internal or external, should be fast. "Make sure whoever is reviewing the documents" moves promptly, said Smith. "The SEC is going to start to get upset very quickly" if simple requests are taking two to three days because they are getting reviewed. In particular, having outside counsel review documents can significantly slow down the production process, he noted.
Consider when to consult with outside counsel or other outside experts. For example, Smith noted that one "sticky question" on the SECís list is a list of regulatory breaches or deficiencies identified during the examination period and a written discussion of what it did about them. That, he noted, is akin to "asking you to give them rope to hang yourself with." For those types of questions, Smith suggested that advisers consult with outside consultants or counsel.
If a request appears to be overly burdensome, donít be afraid to negotiate down the request. The SEC examiners, noted Smith, cast a very wide net. "A lot of times, you can say ĎHey, thatís going to take three weeks. Can you pinpoint certain employees or certain time frames?í" Again, Smith suggested checking with outside consultants or counsel. "We have a very good feel for what requests can be reduced and how to approach the issue," he said.
Hill agreed. "Theyíll tailor it down," she said. "Generally, examiners are willing to work with firms."
Beware the attorney-client privilege nightmare. Reviewing documents for attorney-client privilege prior to producing them to SEC examiners can be a time-consuming and costly endeavor, particularly when it comes to e-mails. The challenge, noted Anderson, is identifying and segregating privileged e-mails while at the same time responding to the staffís requests in a timely manner.
Ideally, firms will have set up a system to identify and segregate attorney-client communications, particularly e-mails, in advance. Pisarri urged both inside and outside counsel to teach people about how to identify privileged communications on an ongoing basis, so that "youíre not faced with the problem of the night before the exam of reviewing your documents to determine what is privileged." Firms can instruct employees to put "PRIVILEGED AND CONFIDENTIAL" in the re: line of the message. And, noted Anderson, some have suggested that "there might be a box to click" on the e-mail to indicate its privileged status. "I think a lot of vendors are thinking about it and I think a lot of firms are thinking about it," he said. But, he added, "I donít think anybody has come up yet with a viable solution," he said.
In any event, Schwartz had dire words of warning for firms that havenít implemented a system of identifying attorney-client privilege: "If you havenít planned for this in advance, get ready to write a big fat check." The problem, he explained, is that to protect the privilege, a firm has to get its outside lawyers involved in creating the privilege log (otherwise the privileged information can be exposed to non-privileged third parties). Having a law firm associate slog through thousands of e-mails is "a very expensive process," he said. For larger advisers, it can be "a six-figure number."
When shielding documents from SEC examiners because of attorney-client privileged, be judicious. According to Smith, some firms have tried to expand the attorney-client privilege beyond what it was intended to cover.
Put your best foot forward in interviews. Examiners rely heavily on interviews to get a sense of the firmís attitude toward compliance. For that reason, senior management should be made readily available to the examiners. "It just gives the feeling that the firm values compliance," said Smith. The opposite is true, as well: "If senior management canít take time for compliance when the SEC is actually there, the thought is, how much time are they putting in when the SEC isnít actually on site?" If CEOs arenít available to the SEC "at least by phone," said Smith, that could raise examinersí eyebrows. Examiners typically also want to interview the firmís head trader and the head of marketing.
Smith suggested that firms prepare employees for SEC interviews. By doing practice interviews ahead of time, he said, employees will feel more comfortable talking with examiners. During the actual interview, employees should appear relaxed, open, and honest, which will demonstrate that the person has nothing to hide. However, Smith acknowledged, "this can be a stressful experience for some people." Employees should bring documents, such as exception reports, to the interview in order to demonstrate what they are talking about.
Employees are not under oath when being interviewed by SEC examiners. Nonetheless, they should be instructed to answer questions truthfully. "It looks very bad if examiners feel that they are being internationally misled or that the information they are being given is not accurate," said Smith.
It also looks bad if employees act like they have something to hide. Smith noted that in his days as an examiner, he would ask "very open-ended questions" and, in turn, "get yes/no answers." That, he said, "doesnít speak very well to the culture of compliance." On the other hand, employees should be told to keep their answers succinct and tailored to the question asked. Employees should not ramble on or volunteer extraneous information.
While examiners expect employees to be knowledgeable about the specific area they work in, "itís fine to not know the answer and say ĎThatís not really my area,í" said Smith. "Unless you are absolutely sure, do not try and answer questions about areas that are outside of your responsibilities."
The CCO should plan on attending as many interviews as possible. "It looks kind of odd if the CCO is not present," said Smith. Of course, he added, if the CCO is also the CEO and has other responsibilities, it is understandable if he cannot attend every interview. However, if the CCO is a dedicated CCO, said Smith, he "should definitely be in every single interview." The CCO can help ensure that the interviewee does not talk about extraneous matters or convey information that is attorney-client privileged. Moreover, the CCO can take notes during the interviews to record what was covered.
What if the SEC examiners donít want the CCO to attend? "Never in a routine examination have I ever heard of something like that," said Schwartz.