Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News November 7, 2005 Issue

An In-Depth Look at the SEC’s 2006 Examination Program

The SECís Office of Compliance Inspections and Examinations will conduct four types of exams in 2006: sweeps, cyclical exams of high-risk advisers, random exams of low-risk advisers, and cause exams.

While that might sound familiar, there are plenty of changes coming your way: There will be fewer sweeps in 2006. A firmís response to deficiencies and cooperation with examiners can influence its risk rating. And OCIE will be ranking advisersí compliance programs as "highly effective," "effective," or "ineffective."

Hereís an in-depth look at the 2006 exam program, which already is underway (the SECís fiscal year begins October 1). This article is based on comments by OCIE associate director Gene Gohlke at the October 20 ALI-ABA investment management conference and the October 26 Investment Adviser Association workshop, and by OCIE director Lori Richards at the October 26 NSCP conference.

There will be fewer sweep exams in 2006. OCIE appears to have taken the findings of the U.S. Government Accountability Office to heart. The GAO, in a September report on the SECís exam program, suggested that OCIE has been relying too heavily on sweep exams to the detriment of traditional full-scope exams. "Going forward," said Gohlke, "we will do fewer of these sweeps than we have in past years." As a result, "there will be more of our resources for the routine exams."

OCIE is no longer conducting baseline exams of all new registrants. The old saw that new registrants will be inspected within a year or two of registration has fallen by the wayside. Baseline exams had been an OCIE goal "a couple of years ago," said Richards. While OCIE would like to conduct an initial examination of every newly-registered advisory firm, "our resources donít allow us to do that." She explained that not only has there been an increase in the number of advisers, there has been an increase in the complexity of advisersí operations. That increased complexity, she noted, necessitates a longer amount of time per firm to conduct a quality examination.

OCIE is working on establishing monitoring teams for larger advisers. This has not been implemented yet, but will be done "as soon as we can get all the iís dotted and tís crossed," said Gohlke. Monitoring teams will be assigned to the "very, very large advisory groups," many of which have "10, 15, 20 different advisory firms" as well as "several fund complexes." In Gohlkeís view, "it makes a lot of sense to try to get to know the firm as a whole," rather than taking a "peek here and there."

High-risk advisers will be placed on a three-year exam cycle. Advisers identified as "high-risk" will be placed on a three-year cycle (thatís up a year from the previously-announced two-year cycle for high-risk firms)

How will firms know whether they are in the high-risk group? They wonít, at least until they notice that examiners seem to show up once every three years.

According to Gohlke, every registered adviser receives a risk rating, based on Form ADV responses and past examinations. The risk rating applies to the advisory firm, not the adviserís funds. "We do not independently rate funds," said Gohlke. (However, when the SEC staff examines an adviser, examiners also will look at any mutual funds or hedge funds that the adviser manages, he said.)

A variety of factors go into the risk rating. Gohlke explained that OCIE has developed a "risk assessment algorithm," which evaluates a firmís responses to the questions on Form ADV Part 1A and generates a score. He mentioned several factors that could lead to a higher risk rating:

  • a large amount of assets under management;
  • a retail client base;
  • having an affiliated broker;
  • having multiple affiliates;
  • employees or independent contractors with significant disciplinary history;
  • having the firmís principals serve as general partners of limited partnerships in which clients invest; and
  • having performance fees as well as straight percentage-of-assets fee arrangements.

Similarly, Richards said that OCIE considers "every single question" on Form ADV. "Every piece of information that we can get, we use," she said.

While every firm receives an algorithmic rating, examinersí on-the-ground experiences can trump that assessment. A firm that looks high-risk "on paper" may have an effective compliance program that mitigates those risks, Gohlke explained. "Once we get in there . . . we may come away and say ĎHey, that firm has recognized that it has conflicts of interest [and] has put in place very effective procedures to manage those conflictsí," he said. "At the end of the day," examiners may conclude that a firm that is high-risk on paper is actually low risk.

The results of a firmís last examination also play a role in determining the firmís status as high risk. According to Richards, the severity and significance of problems found during the last exam is "very important" in assessing risk. And, she said, "if a firm takes steps during an examination to fix problems," or responds to a deficiency letter by clearly communicating the steps they will take to fix the identified problems, "that will give us much more confidence that we donít need to examine the firm as frequently as we might otherwise have," said Richards. "The firmís response to the last examination is an important criteria for us in evaluating risk," she said.

Richards described some remedial actions that a firm can take: improving disclosures, making clients whole, or enhancing internal compliance controls. She noted that if a firm takes steps to implement remedial action during an exam, before the deficiency letter is sent, OCIE will try to reflect the remedial action in the letter.

In addition, Richards indicated that OCIE will weigh a firmís cooperation with examiners when assigning a risk ranking. Cooperation, she said, "has consequences for when we decide what the outcome of an examination should be." If OCIE has confidence that the firm has self-identified a problem, taken meaningful action to address it, and is "telling us about it," she said, "that is going to affect our judgments and our decisions not only about the type of misconduct at hand, but also about the comfort level that we have in the firm going forward."

Low-risk advisers will be selected randomly for exams. The "vast bulk" of the roughly 9,000 advisers and 1,000 fund groups under OCIEís purview are not high risk, said Gohlke. These "low-risk" advisers will not be placed on a cycle. Instead, OCIE, with the help of SEC economists, will select a statistical sample of firms from the low-risk pool. The sample will number "in the hundreds," said Gohlke. Although the SEC wonít necessarily get to each advisory firm on a particular cycle, the possibility of being selected as part of the sample is intended to have "some deterrent effect."

Every adviser in the low-risk pool has an equal chance of being selected for an exam, with no weighting given for recent exams. As a result, there is a remote chance that the same adviser may be selected in the sample two years, back-to-back. However, Gohlke noted that the SECís regional offices "have some ability to select" the individual firms to examine from the random sample provided by headquarters. If the regional office was "just in and the firm was just truly low-risk," the region may decide to do other low-risk firms first, and then, if time permits, get to the recently-examined firm.

OCIE typically provides one to two weeksí notice for routine exams. Each year, one-third of the pool of high-risk advisers, and the random sample of low-risk advisers, will receive a "routine" exam, also known as a "full scope" exam. During a routine exam, said Gohlke, examiners "try to take a look at just about everything a firm is into and what it is doing," while still using a risk-focused approach.

Gohlke said that OCIE typically provides one or two weeksí notice before routine exams. "We realize our requests for information are fairly long," he said. "It may take the firm some time to get that information together." In addition, advance notice helps ensure that relevant firm personnel are on site. However, he added, OCIE is not required to provide advance notice. The closer a firm to the SEC examinersí office, the greater the likelihood of a surprise visit. In the case of the New York examination staff, he noted, "most of their firms are just a subway ride away" and therefore those examiners may be more inclined to show up unannounced. "If nobodyís there, they can go back to the office and do something else," said Gohlke.

Both regional and Washington DC staff conduct exams. Richards said that no conclusions should be drawn from whether regional staff or OCIE Washington staff conduct an exam. "Itís not the case that the folks in Washington do all the high profile exams or significant ones," she said. "Significant examinations are done by all of our staff."

Interestingly, Richards noted that OCIE has a policy that everyone in OCIE is an examiner. That means Richards herself goes out on exams from time to time. "You may sometimes see me come out in the field," she said. "Donít be surprised. I do this."

Compliance programs will be evaluated and rated. Look for examiners to spend "a lot of their time" looking at advisersí compliance programs in 2006. In fact, theyíll be doing more than just looking: theyíll be rating them. During routine exams, said Gohlke, examiners will evaluate the firmís compliance program and rate it as "highly effective," "effective," or "ineffective." If a firmís compliance program is deemed ineffective, "that is teeing that firm up" as a high-risk firm, said Gohlke. "You can expect us to come back in within three years to take another look at your compliance program."

Unlike a firmís overall risk assessment, evaluations of a firmís compliance program are not done using an algorithm or any sort of formal methodology. "Itís qualitative," Gohlke said. "Itís very hard to apply numbers or any type of quantitative measures here. Itís up to the exam staff to evaluate this." Gohlke said that while examiners do use scorecards to guide them through the evaluation of a firm, "at the end of the day, itís a qualitative rating."

Some examples of what examiners will be looking for:

  • Are the firmís compliance policies and procedures appropriate?
  • Have the policies and procedures been implemented? Are managers assigned different responsibilities? For example, said Gohlke, "one would expect" that the head of a firmís trading desk would be responsible for supervising the trading staff to make sure they are observing applicable procedures.
  • Are the policies and procedures effectively deterring violations of the Advisers Act and the securities laws?
  • Are the policies and procedures identifying issues that arise during the normal course of events?
  • Did the firm engage in a risk assessment process when developing its compliance program?

To determine whether a firmís compliance program is working, said Gohlke, examiners "will interact extensively" with managers in key areas of the firm, "since itís those people who are implementing those policies and procedures."

OCIE will continue to ask for a written list of material compliance issues. During routine exams, SEC examiners ask CCOs to provide, in writing on the firmís letterhead, a list of the material compliance issues that arose during the past year (or some other period of time). Gohlke acknowledged that this particular request "gives CCOs some heartburn," but emphasized that OCIE does need this information.

During exams, he explained, "talking to people is helpful, but it is really not disposative of anything." Similarly, he said, simply reading a firmís compliance manual may not provide the full picture. "We can sit down and read a firmís policies and procedures" and get a sense of the compliance program, he said. "Itís very difficult for us to determine whether those policies and procedures are being implemented effectively . . . . We very much want to get into the details. We want to understand in fact how effective that compliance program is."

The reality, said Gohlke, is that "stuff happens." To truly understand how a compliance program is working at a firm, OCIE needs to see what problems arose and how they were addressed. "We feel that every firm has compliance issues," he said. "Theyíre there." If a firmís compliance polices and procedure were effective, the firm should have issues to report, he said. And if a firm claims that it has not had any material compliance issues, "we donít believe that for a second." Either the firmís compliance program is "abysmal," he said, "or else the firm is lying to us."

Information on the issues that the firmís compliance program "teed up" in the recent past, and how those issues were handled once they were presented to their responsible manager, allows OCIE to assess how well the firmís compliance program has been working, explained Gohlke. "Were [the issues] shoved in a desk drawer and forgotten about? Or were they partially addressed but really not effectively because those problems keep arising during subsequent periods? Or did the firm really implement effective means to address those issues?"

Firms should not fear that OCIE is trolling for enforcement referrals, fishing for easy deficiency letter comments, or somehow trying to "entrap" CCOs, said Gohlke. Automatically handing the list over to the SECís Division of Enforcement "would just sort of compromise our whole approach," he noted. The reason the SEC examination staff asks for material compliance issues is to allow firms to "prove to us that [they] have a really good compliance program," he said. "We really donít want to whack CCOs because there are problems at a firm. We realize there are, and we want to see how you handle them."

Richards emphasized the importance of honesty in responding to the material compliance issues question. "When we ask during an examination, have you had any compliance breaches, we expect firms to be honest and forthcoming with us," she said. "We expect you to tell us the truth. We also expect that youíll tell us how you remedied the problem. How did you solve it? How did you fix it going forward?" She noted that occasionally, in past exams, OCIE has found that some firms were less than candid. "They didnít tell us the truth about past problems," said Richards. "We found out post-market timing and late-trading that many firmsí internal compliance staff and legal staff had been aware of those issues and had not disclosed them to SEC staff. I think that indicates a real breakdown in the level of communications between firms and between SEC staff."

Whatís worse, she added, is that "in some cases" legal and compliance may have withheld information and actually misled the staff. "That was a terrible situation and one that I hope will not reoccur," she said.

Firms have an opportunity to influence the content of the deficiency letter. During the exit interview, examiners will "sit down with the CCO and other relevant management persons from the firm" and "go over what it is that we found or at least initial indications of what we have seen," said Gohlke. The exit interview, he said, gives the firm "a chance to tell us ĎWell, you didnít look at this, this, this, and this,í or ĎWe interpret that differentlyí." It gives firms the opportunity to respond to examiners by saying "Well, thereís more to it than just what youíve looked at," he said.