OCIE Identifies Top 5 Compliance Problem Areas Found in Exams
Advisers receiving a deficiency letter after an examination identifying certain compliance areas where the SEC found them lacking may take some comfort in knowing they are not alone – particularly if those areas involve the Compliance Program Rule, required regulatory filings, the Custody Rule, the Code of Ethics Rule or the Books and Records Rule. The agency’s Office of Compliance Inspections and Examinations on February 7 issued a Risk Alert, "The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers."
Knowledge that violations in these areas are shared with other advisers does not excuse an adviser that violates them, of course. OCIE’s decision to publish the list "puts advisers on notice," said Morrison and Foerster partner Jay Baris. "This is what they are looking for. OCIE may come down harder on an adviser who disregards the advance warning."
"The top five findings all relate to pretty fundamental issues, as opposed to the current ‘hot topics,’ such as cybersecurity or fees and expenses," said Sidley Austin partner Mark Borrelli. "Advisers should not neglect the ‘boring’ fundamental issues, such as the Custody Rule and accuracy of regulatory filings, even as they devote attention to hot topics."
"In sharing the information in this Risk Alert, OCIE hopes to encourage advisers to reflect upon their own practices, policies and procedures in these areas and to promote improvements in investment adviser compliance programs," the Alert says.
"The SEC is sending a message," Baris said, adding that the agency can send messages in a variety of ways, including instituting an enforcement action against an advisory firm. "It’s much better to receive the message through a Risk Alert."
Faegre Baker Daniels partner Jeffrey Blumberg called attention to the inclusion of the Custody Rule in the Risk Alert, which he sees as an indication that the agency will be paying more attention to it. "The Custody Rule does not clearly address the odd situation, such as where custody is not intended, but occurs because of the way a platform is designed."
Following is a rundown of the top five compliance areas found in examinations that are listed by OCIE in its Risk Alert, along with examples examiners found.
The Compliance Program Rule
Rule 206(4)-7, the Compliance Rule, requires advisers to:
adopt and implement written policies and procedures reasonably designed to prevent violations;
review, at least annually, its compliance policies and procedures and the effectiveness of their implementation;
designate a chief compliance officer responsible for administering the compliance policies and procedures.
Here are the "typical examples" of deficiencies or weaknesses in this area that OCIE said its examiners found:
Compliance manuals not reasonably tailored to the adviser’s business practices. "The staff noted that certain compliance programs did not take into account important individualized business practices such as the adviser’s particular investment strategies, types of clients, trading practices, valuation procedures and advisory fees," the Risk Alert says. "Moreover, examiners continue to observe that some advisers use ‘off-the-shelf’ compliance manuals that have not been tailored to the adviser’s individual business practices."
Annual reviews not performed or do not address the adequacy of the adviser’s policies and procedures. "The staff observed that certain advisers did not conduct annual reviews of their compliance policies and procedures," according to the Risk Alert. "The staff identified advisers that conducted annual reviews that did not address the adequacy of the advisers’ policies and procedures and the effectiveness of their implementation. Staff also observed that advisers did not address or correct problems identified in their annual reviews."
Adviser does not follow compliance policies and procedures. Examiners found that "certain advisers appeared to not be following their compliance policies and procedures. … Examples include advisers that do not perform certain internal reviews of their practices required by their compliance manual and advisers that do not adhere to certain practices relating to marketing, expenses or employee behavior required by their compliance manual."
Compliance manuals not current. "The staff noted that certain compliance manuals contained information or policies that are no longer current, such as investment strategies that were no longer pursued or personnel no longer associated with the adviser and stale information about the firm," the Risk Alert says.
Advisers are required to accurately complete and file on time Form ADV, and, depending on the nature and size of their business, a variety of other documents, including Form PF and Form Ds.
SEC examiners, according to the Risk Alert, found deficiencies or weaknesses involving the following types of violations:
Inaccurate disclosures. "The staff observed that certain advisers made inaccurate disclosures on Form ADV Part 1A or in Form ADV Part 2A brochures, such as inaccurately reporting custody information, regulatory assets under management, disciplinary history, types of clients and conflicts," according to the Risk Alert.
Untimely amendments to Form ADVs. Also observed by the staff, the Risk Alert states, was that "certain advisers did not promptly amend their Form ADVs when certain information became inaccurate or timely file their annual updating amendments."
Incorrect and untimely Form PF filings. The staff observed that certain advisers with an obligation to file Form PF did not complete the form accurately or completely.
Incorrect and untimely Form D filings. The staff observed that certain advisers did not accurately complete and timely file Form Ds on behalf of their private fund clients.
Under Rule 206(4)-2, the Custody Rule, an adviser has custody, "if it or its related person holds, directly or indirectly, client funds or securities or has any authority to obtain possession of them," the Risk Alert says. Under the Rule, advisers must take a number of steps that protect the safety of client assets.
In that regard, the Risk Alert lists a number of situations found by examiners where the Custody Rule was not properly followed. These were:
Advisers did not recognize that they may have custody due to online access to client accounts. An adviser’s online access to client accounts may meet the definition of custody when it provides the adviser with the ability to withdraw funds and securities from the client accounts, OCIE says in the Risk Alert. With that in mind, "the staff observed that certain advisers may not have properly identified custody as a result of them having access to online accounts using clients’ personal usernames and passwords."
Advisers with custody obtained surprise examinations that do not meet the requirements of the Custody Rule. "The staff observed that certain advisers did not provide independent public accountants performing surprise examinations with a complete list of accounts over which the adviser has custody or otherwise provide information to accountants to permit the accountants to timely file accurate Form ADV-Es," the Risk Alert says. "In addition, staff observed indications suggesting that surprise examinations may not have been conducted on a ‘surprise’ basis," among them that the exams were conducted at the same time each year.
Advisers did not recognize that they may have custody as a result of certain authority over client accounts. Certain advisers, the Risk Alerts says, "did not appear to recognize that they may have custody over client accounts as a result of having (or related persons having) powers of attorney authorizing them to withdraw client cash and securities." Other examples of custody that appeared unrecognized, the Alert says, occurred when advisers or their related persons served as trustees of clients’ trusts or general partners of client PIVs.
Code of Ethics Rule
Rule 204A-1, the Code of Ethics Rule, requires that an adviser’s Code of Ethics establishes a standard of business conduct that the adviser requires of all its supervised persons; require an adviser’s ‘access persons’ to periodically report their personal securities transactions and holdings to the adviser’s chief compliance officer or other designated persons; and require that access persons obtain the adviser’s pre-approval
before investing in an initial public offering or private placement.
Advisers must also take a number of other steps, including providing supervised persons with a copy of the Code of Ethics and requiring their supervised persons to provide a written acknowledgement that they received it.
Below are typical examples from the Risk Alert of deficiencies or weaknesses that examiners found that related to the Code of Ethics Rule:
Access persons not identified. "The staff observed that certain advisers did not identify all of their access persons (e.g., certain employees, partners or directors) for purposes of reviewing personal securities transactions."
Codes of ethics missing required information. "Certain advisers’ Codes of Ethics did not specify review of the holdings and transactions reports, or did not identify the specific submission timeframes."
Untimely submission of transactions and holdings. "The staff observed that certain access persons submitted transactions and holdings less frequently than required by the Code of Ethics Rule," the Risk Alert says.
No description of Code of Ethics in Form ADVs. Also found by examiners was that "certain advisers did not describe their Codes of Ethics in their Part 2A of Form ADVs and did not indicate that their Codes of Ethics are available to any client or prospective client upon request."
Books and Records Rule
Rule 204-2,the Books and Records Rule, requires advisers to make and keep certain books and records relating to their investment advisory business.
Examiners reported finding the following examples of deficiencies or weaknesses tied to this Rule:
Did not maintain all required records. "The staff observed that certain advisers may not have maintained all the books and records required by the Books and Records Rule, such as trade records, advisory agreements and general ledgers," the Risk Alert says.
Books and records are inaccurate or not updated. Certain advisers "had errors and omissions in their books and records, such as inaccurate fee schedules and client records or stale client lists," according to the Risk Alert.
Inconsistent recordkeeping. "The staff observed," the OCIE Risk Alert says, "that certain advisers maintained contradictory information in separate sets of records."